Keep Your Website from Getting Hacked

If you own or manage a website, security should always be uppermost in your mind. The internet has become the playground of hackers and cyber-criminals. Every website (regardless of content) can be a potential target.

Website owners often make the mistake of believing that their sites offer no real temptation to hackers, but nothing could be further from the truth.

It’s a mistake to assume that hackers are only out to steal financial information and user passwords. Oftentimes, websites are breached so that hackers can create temporary web servers, using them to disseminate spam and viruses without the owner’s knowledge.

This not only compromises the site itself, but puts the site’s visitors at risk.

With hackers intent on finding, and exploiting, known software security issues, it is the responsibility of all website owners and administrators to take proactive steps to secure their sites against possible intrusion.

The following tips should help site owners and managers proactively address their website’s security, keeping them free from intrusion and safe for visitors and clients.

Complex Passwords

Effective website security begins with the assignment and use of strong passwords for both administrators and on-site staff. While this may seem an obvious security tip, it is one that bears repeating.

While most of us recognize the importance of strong passwords, just as many of us are guilty of failing to utilize them to their full potential. The use of complex passwords is critical to the security of any website’s admin area and server integrity.

Another key component of online security is requiring passwords for a website’s regular visitors, and using them to more fully ensure the security of customer accounts.

Ideally, these passwords should be stored as hashed values, to minimize the risk of decryption should a site’s database be breached.

At the very least, all passwords should be encrypted using the latest industry standards to protect both the site and its visitors.

Software Updates and Patches

A common tactic among hackers is using automated scripts to find and exploit a website’s security deficiencies.

To compound the issue, word spreads quickly through the hacker community, and once a vulnerability is discovered in a website’s operational software hackers of every stripe will seek to exploit it.

Software updates that are pushed out by programmers and developers are meant to keep ahead of the hacker curve, fixing bugs and vulnerabilities before they can become widely exploited by cyber-criminals.

Regular software updates are critical to the security of any website, and should always be at the forefront of site maintenance. Web managers using third party software should pay particular attention to updates and security patches, installing them promptly upon release.

Website’s running under a managed hosting solution should be regularly updated by the hosting service, but it is still the responsibility of the site owner and manager to ensure that software updates are applied in a timely and effective manner.

Never just assume that your site is up to date, double check with the hosting service provider.

Themes and Plugins

With the advent of user friendly content management systems, it’s easier than ever to create and launch an enterprise class website.

To extend the performance and flexibility of these sites developers have all but flooded the market with themes and plugins designed to deliver a more desirable user experience.

However, it is important to be careful when installing any theme or plugin, and to only use those produced by reputable developers.

Hackers have been known to seed plugins with exploitable code or malicious content. Research any plugins you are considering, and read the industry reviews, before installing.

Limit Login Attempts

Hackers have been known to breach sites through brute force, using a standard login form to gain access to a user’s account.

Installing a simple plugin that limits the number of login attempts from a specific IP address can help to reduce this risk. Too many failed attempts and the hacker is locked out of the system.

Of course, you don’t want to lockout regular users, and the majority of these plugins allow for a simple error message that contains prompts to help the user remember their login information.

Again, it’s important to tread carefully here, and to be circumspect with the prompts you use. Too much information in a login error message can tip a smart hacker off, and allow them to crack the user’s login info.

  • Blocking Brute Force Attacks: this short tutorial discusses the use of brute force attacks in hacking a website, and the steps webmasters can take to reduce that risk by limiting login attempts and creating hacker-proof error messages.

File Uploads

Allowing users to upload files to a website has become a fairly common practice, but it does pose a definite security risk.

While allowing users to upload documents and photos helps to create a more interactive website, it also opens the door to hackers.

Cyber-criminals can use the opportunity to upload files that contain viruses and malware.

To protect your site against attacks via file uploads you should place strict limits on the types of files allowed, and utilize client or server side validation techniques to ensure that only approve file forms are accepted.

Effective antivirus software should also be in place to scan all files as they are uploaded to the site.

SSL Security Certificates

SSL (Secure Sockets Layer) is a popular security protocol that establishes an encrypted connection between a web server and a client.

This ensures that all data passed between a given website and its server or database remains protected from man-in-the-middle attacks.

SSL certification has quickly become an industry standard, and is critical to sites that routinely handle sensitive data.

Protecting a Website’s Directories

A website’s directory files can be used by hackers to spot, and exploit, vulnerabilities in a site’s underlying code or structure.

To reduce the risk it is important to restrict access to those directory files. This can be accomplished in two ways, either be disabling access to the site’s directories or requiring password authentication before they can be accessed.

Most CMS platforms allow web managers to disable their site’s directories by simply adding a line of code to the .htaccess file. If the site’s directories must be available to certain users, password protecting those directories is always recommended.

Using Security Plugins

While websites built on WordPress and other popular content management systems provide a basic level of security, they can all benefit from the use of specific security plugins.

Typically these plugins will be bundled with a firewall and will scan user posts and uploads for viruses and malware, blocking them when appropriate.

The more full-featured plugins will also scan the website’s core, theme and plugins for malicious code, and will create a log of attempted brute force attacks on the site.

Reviewing Site Logs

A large part of avoiding hackers is understanding your website’s performance and traffic history.

Regularly reviewing the site’s logs allows webmasters to track their website’s traffic and ranking history.

Unusual traffic or rankings may indicate that a site has been compromised, which can give webmasters the opportunity to address the issue before any damage can be done.

Keeping Regular Backups

Backing up a website to the cloud may not deter hackers and cyber-criminals, but it does provide a course of action should a site become compromised.

Any amount of downtime can seriously impact a website’s ranking, authority, and revenue stream.

By making and keeping regular backups it becomes easier to restore a website should it be breached or infected with malicious code, allowing websites to recover more quickly and completely from an attack.

General Advice

A large part of keeping a website secure is being knowledgeable about new and emerging security threats.

In addition to the tips outlined here, it is important for all webmasters and website owners to keep up to date on security concerns, and to take what steps they can to keep their sites safe and compliant with the latest security features.

The following articles and tutorials should help to give web managers a deeper insight into website security.

Conclusion

While it may never be possible to totally eliminate all of the online threats posed by hackers and cyber-criminals, it is possible to significantly reduce those risks by taking proactive steps to keep your site, your data, and your visitors safe.

Website security is the primary responsibility of all website owners, and it should be uppermost in the minds of all web managers and IT professionals.

A secure website not only protects the site and its visitors, it also projects the trust and authority necessary to establish a successful and long lasting internet presence.


Further Reading and Resources

We have more guides, tutorials, and infogragphics related to website development and management:

Ultimate Guide to Web Hosting

Check out our Ultimate Guide to Web Hosting.

It will explain everything you need to know in order to make an informed choice.

WhoIsHostingThis Team

About WhoIsHostingThis Team

Our writing team comes from all over the world with diverse backgrounds in the arts and sciences. But what links them is their passion for the internet. All together they represent many decades of experience working in all facets of it -- from programming and hardware creation to website design and marketing.