Protecting Your Website – Site Security 101
A few hours before writing this, I spoke to a colleague who was having a really bad day. His server had been compromised, and all of the websites that were hosted on the server were no longer accessible from the internet. He had around 40 sites, both his own sites and sites he was hosting for his clients. He was panicking and was working with the hosting company to try to repair the damage and get the sites online, as he was fielding angry phone calls from his clients demanding to know why their sites were down.
After spending the whole day on the issue, he was eventually able to get all the sites to work again. But watching him go through this situation reminded me about the importance of protecting websites from external threats on the web. As this situation is not unique and happens so often to site owners, I thought that a quick Intro article to web security would be a good thing to write about.
How big a website do you need to have before you need to worry about securing your site? This is a actually a trick question, as all websites are vulnerable to attacks by hackers and spammers. Once a site is connected to the internet, there are any number of ways it can be compromised. So what can you do to protect your website from attacks?
There are several things site owners should be doing to make sure there are no obvious holes in their sites security and to protect themselves should a site become compromised. I will run through some of the basic protections which should be used on EVERY site, and then discuss some more advanced protections which should be implemented for various larger sites, as well as the situations which merit enhanced security.
All sites should include the following protections:
This seems like a no-brainer but I am constantly surprised at how many site owners do not take regular backups of their websites. I have had to create several sites from scratch because the site was completely erased from the server and their previous developer never bothered to install a way to backup the site and did not maintain an offline copy of the site. There are tons of ways to backup your site.
Many hosting companies offer a service to take backups of your site or your server which are worth considering. I typically use Akeeba Backup for Joomla sites and Backupbuddy for WordPress sites. With regular backups, even if everything is erased from your server you can still restore your site back to the same state it was in when the backup is taken. There is no downside to taking backups.
Stay Up to Date:
Core CMS, Themes and Plugins for your website are updated often, and these updates are not just cosmetic in nature. Many of them are actually updates which fix security holes which can be or have been exploited by hackers. By not updating these files, you are leaving your site wide open to be attacked.
Also, removing any plugins you are not using from your site is a smart thing to do. The more points of entry that you have on your site, the easier it will be for hackers to access. Having extra plugins and files on your site will also make the job of tracing the point of entry of an attack that much harder, as you have more files which could have been used to hack your site.
Proper management of passwords is not high on a site owners priority lists until they already have a problem. Weak passwords and commonly used passwords are still being used by so many businesses, despite the amount of articles and warnings published over the years warning of the dangers related to weak and common passwords. All passwords on your site should: be 8 or more characters long, be case sensitive, have one or more capital letters, contain both letters and numbers, and should be changed regularly.
User management is easy to do, if someone thinks of doing it. When a person with access to your site is fired or quits, you have to remember to revoke all access permissions for that user. Ex-employees with an axe to grind can publish your login information, make changes to your site, or install software designed to exploit your business or your clients. Also, it is never a good idea to let staff share the same username and password. This makes problems harder to backtrack and removes any accountability for staff should any illicit activity be discovered.
By following these simple best practices outlined above, you can greatly reduce the risk of your site falling victim to hacking, and protect yourself should the worst happen. It is a scary world online, and if you are not doing anything to protect your site, you will have no one but yourself to blame should you have to suffer the consequences of having your data deleted, or suddenly find your site is advertising Chinese pharmaceuticals.
Images from Pixabay used under Creative Commons CC 0