Sadly, we live in an age where security really is a very fragile and temporary thing. Especially on the Internet. Today’s mindset of most tech companies is “when rather than if” when it comes to being a victim of a breach. The same should be valid for pretty much any website.
The vast majority of websites aren’t that big. Their teams often consist of a few people, if that. Most of them focus only on the content and their technical knowledge isn’t that big. So, they often neglect or simply don’t pay any attention to security. And today security is even a factor in search engine ranking.
Luckily, it’s not that difficult to protect your website. Even some basic tips can go a long way in deterring most hackers as they usually prefer the quicker and easier route. So, here are a few tips on how to improve the security of your website.
Keeping everything on your website updated is very important. It’s kind of obvious, but many people still postpone or neglect updates. Sometimes it’s understandable. Some updates bring in a lot of unwanted changes (WordPress Guthenberg, anyone?), but web admins have to battle through them.
Also, don’t forget plug-ins, additional modules and so on. If you run your own server, you have to make sure the server side is also taken care of and is updated on a regular basis as well.
Don’t neglect the strong passwords
This is the most repeated advice in the world of IT. Yet, even today, people continue to use the most basic passwords possible (ie 12345678) and on more than one account.
So, use different and strong passwords for your site admin accounts, the cpanel account, the server admin and so on. It’s a bit of a chore, yes, but way too much breaches continue to happen because of weak passwords. A password manager could help you in this process.
Don’t use the default settings
This is especially important for most CMS apps. Usually they are designed for quick and easy set-up and usage. Their default settings are often very easy security-wise in order to make sure there will be as few issues as possible during the set-up.
Once you’re up and running, though, take some time to go through all of the settings and change them to better suit your needs and preferences. For example, close the user uploads feature if your site won’t need it, etc.
SSL is vital
Today SSL is quite important for any website. Not only because it makes it more secure, but also because search engines like Google put it on their priority list of SEO features. Decent security means better search ranking. Adding SSL these days is very easy and cheap (often even free).
Add security plugins
If you’re not an advanced coder and don’t really know what SQL-injection or XSS attacks mean, don’t worry. Most popular CMS platforms like WordPress for example, support additional easy-to-install plugins. And there are tens of thousands of plug-ins, many of which are free and offer various features. Some of them help you add an extra layer of security to your site. Here are some popular security plugins:
Security plugins for WordPress:
- iThemes Security
- Bulletproof Security
Security options for Magento:
- IP Security
- Watchlog Pro
Security extensions for Joomla:
- Centrora Security
- Brute Force Stop
- Antivirus Website Protection
You can also add two-factor authentication with an additional plugin. For example, Google Authenticator would work great. It’s easy, free and adds a nice layer of extra security to the admin panel. It works with WordPress, Joomla, Magento and a whole lot of other platforms.
Limit access to vulnerable pages
If you use a static IP, you can limit access to some pages, like the admin panel to just your IP. For this you can add a rule to your .htaccess file:
<Files wp-login.php> Order Deny,Allow Deny from all Allow from xx.xx.xx.xx </Files>
Where wp-login.php can be another file or directory. And the “Allow from” line, is where your IP goes. You can add multiple IPs by adding new “Allow from” lines below each other.
Some cpanel features also allow you to add an additional password layer to certain files or folders. There are plenty of options, you just need to set a couple of hours aside to explore them and see which work for you. It’s highly worth it to do so.
Another great way is to use a Limit Login Attempts plugin. This can block and lock IPs and usernames after a certain amount of failed login attempts. It’s an easy way to stop brute force attacks and ease the strain on your server.
Your computer is at risk, too
You could have a top-notch secured site, but if you access it from a vulnerable device, all that security won’t do much good. Hackers could easily side-step most of the security features and either get remote access to the site via the vulnerable device or simply get the username and pass for it.
So, make sure you also keep your devices updated and secured. This way you can be a bit more relaxed. Of course, keeping regular backups is also a must, just in case.