Of course, prevention is better than cure and with a little bit of common sense and vigilance website owners can do a lot to protect themselves from being hacked.
In this post we will discuss 7 key points to keeping your site secure.
1) Back up your site.
Obvious right? We all know we should back up our data, but like so many things, when everything is running smoothly, backups get forgotten. We only wish we had done them when something goes wrong. Everyone should have a clear back and recovery strategy for their computers, and websites should not be exempt. If you are not sure what your back up policy is then ask your web developer or hosting company. Don’t wait to find out when you need to use it! You may also consider taking backups yourself of files and documents on your website.
Whatever your strategy is, make sure that you are covered. In the event of a hack the first thing and hosting company or developer will want is a back up of the site before it was hacked.
2) Obscurity is not security
“Security Through Obscurity (STO) is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms.”
In essence, security through obscurity is like hiding your car behind the hedge on your street rather than locking it. It might be harder for a thief to find it (when they look for it on your drive) but when they do find it it will be really easy for them to steal. In website terms, we might hide important and sensitive files within our website that can be accessed directly through a browsers address bar without needing to login to the application. We could argue that the user would need to know the exact file path and name of the file, but if they did find this out, then our data would be easy pickings.
Although obscurity can be used to make your site more difficult to hack, it should in no way be relied on or considered as a complete secure solution. An example of when obscurity can be useful would be in changing the default login url in Wordpress from /wp-admin to something completely random. Making it harder to find the login page to an application is good practice.
3) Passwords
We all know about strong passwords don’t we. That is why none of us have any active passwords that are the name of our favourite football team, or the name of our first pet right!?…***ahem***….
Its frightening how many peoples passwords are still personal words ( often with 123 added at the end, you know, to make them more “secure”). We should all be using unique secure passwords for all our passwords. I recommend using a secure password manager to store all your passwords in. There are plenty available for both mac and windows. Keepass is a free open source solution available for both operating systems.
4) keep software up to date
It is really important that we keep software up to date. If you are using a CMS to run your website (like Wordpress or MODX) then you will probably be aware that there are regular updates and security patches released. Keeping on top of these is really important to help keep your sites safe and secure. If you don’t feel comfortable updating and patching your site then speak to us. We are more than happy to assist - its well worth getting this in place now, rather than waiting until something goes wrong then trying to react.
5) SSL
SSL stands for Secure Sockets Layer. It is an encryption layer between your browser and server which in effect encrypts all data passed between your server and browser.
SSL is often recognised in a browser by a green bar or a padlock and sites are served over https rather than http.
Google also uses sites with valid SSL certificates as a ranking factor ( they favour secure sites!) so that is another reason why choosing an SSL certificate makes sense. For more information on SSL certificates or to install one on your site - please get in touch.
6) Plugins and themes
In our experience, badly coded themes (downloaded from theme sites) and poorly coded plugins are more often or not the entry point to hackers. We have cleaned up many sites where the venerability was caused by a plugin. While plugins and pre-paid for themes can seem like a quick and cost effective way to build a site, you need to be vigilant and careful in what you download and install. Our advice is to only use themes and plugins from reputable theme developers. With plugins, have a look at who developed the plugin, how many times it has been downloaded and keep an eye out for the reviews as well. We also recommend trying to keep the number of plugins you use down to a minimum.
Any theme or plugin you install on your site requires a level of trust. You are in effect giving access to your database and source files to that plugin.
7) Set privileges appropriately for users
If you have multiple users/admins to your website, it is good practice to only allow the minimum privileges/rights that user needs to complete there job. For example, there is no need to allow a user to create and edit other user profiles if they are a content writer publishing blog posts. Making sure that privileges are only assigned to users that require them is a really good security principle. If you use MODX as your CMS you can easily set up custom and precise user privileges - contact us to if you have any questions or are concerned about user access.
What it the worst happens…
Sometimes despite our best efforts, things go wrong even if you follow these 7 points. So what do you do if you find your website has been hacked? It’s easy to think that your website being hacked is the end of the world, but don’t panic, it might not be. As soon as you are aware that your site has been hacked, contact your web developer and/or hosting company.
Having said that, but following these simple 7 steps, you are hopefully well on the way to securing your website/application.