How To Secure Your Website
I apologize in advance since this will be a more technical article. Nonetheless, the topic is unavoidable for every website owner. I try to keep the language simple – promise! There are two components that keep your website secure, and those are your server and the code that constitutes your website itself.
I would love to have you among my subscribers. Get articles like this one once a week.
Let’s discuss how you can secure your website on each level.
1. Security on Website Level
Update code and software regularly: This is the number one priority and one of the simplest steps you can make that will keep 90% of hackers away from you. Malignant hackers take advantage of common weaknesses in software. They write automates scripts that go out and test website after website, knowing that the next victim who hasn’t applied the latest updates is close.
If your website runs on one of the popular content management systems (WordPress, CraftCMS, Joomla, Drupal), make sure that the core code base is always up to date. This also applies to any plugins your external code snippets you are using. When it comes to plugins, do some research before you install them. Make sure that the plugin is actively used and well supported by its creator and its user community. Try keeping the number of plugins low since they increase vulnerabilities of your site and can slow it down. Delete unused plugins and themes. If keeping your website code base updates is a challenge for you, ask me about my maintenance agreement for websites.
Use strong passwords and change passwords often: This can’t be repeated often enough. If your password is too simple to guess or crack with brute force (robots that try until they find a working password) then you are at risk. Use tools such as LastPass that help you manage your passwords across browsers and that suggest strong passwords. Including numbers and special characters into your password boosts their strength.
Tweak default settings: Hackers take advantage of known defaults. They know that the URL for a WordPress admin page is www.example.com/wp-admin. By changing that, you divert a great number of threats. Here is a list of defaults that you should consider changing: usernames (don’t use admin!), admin URL, default database names, installation folder names. I won’t go into great details on how to achieve these things since I believe that you should ask a professional to do them for you. Note that these examples are geared towards WordPress sites. Other platforms will have different but similar concerns.
The above applies to self-hosted websites. If you use a website builder such as Wix, Squarespace, or Weebly then these tasks fall under their responsibility. In most cases, these companies do a pretty good job of securing their infrastructure, but they are not immune to attacks either. In past months both Wix and Internet giant Amazon have known attacks that knocked out websites all over the world.
2. Security on Server Level
Anti-Malware: Malware, short for malicious software, is typically installed on a website by hackers who find weaknesses — also known as vulnerabilities — in a website’s code. Malware can spread viruses, steal personal or financial data, and even hijack computers. There are a number of scanners available depending on your operating system. SiteLock is a super simple and a fantastic security solution for scanning and malware removal. I am offering SiteLock starting at $11.88 per year. In fact, this website uses SiteLock protection – can you spot the label in the lower left-hand corner?
More advanced measures: Here is a list of topics that you want to address depending on your server setup. It is my intention to only provide keywords because this is nothing you can, or want to do on your own. Working with a professional will save you time, money and headaches.
- Server Hardening
- Port Blocking
- PHP Upgrades for shared hosting accounts
- MySQL Upgrades
- SSH Access restrictions
- Use Encryption / SSL (HTTPS in links) – Since January 2017, Google has begun flagging websites without digital certificates and HTTPS links as ‘Not Secure’. This mandate has been implemented to tighten security across networks. HTTPS guarantees users than the information passed from one network to another is completely encrypted and can be read by no one. This is especially necessary for sites that require credit card and personal information. Even if your website is a simple marketing site, you don’t want your visitors to think of your website as ‘Not Secure’. You will come across as non-professional, and it will simply scare away potential customers.
- Server side validation/form validation – Forms are used by visitors to send messages, sign-up for accounts or many other reasons. At the same time forms are a major vulnerability factor for websites and applications because they allow users to pass information to the server. Did you know that hackers can use a simple message field to insert malicious code that can wipe out your entire database? This practice is known as Cross-site scripting. Proper form validation can avoid cross-site scripting by making sure that only desired data can be entered into the fields.
The key to securing your website is to regularly audit your site – both on the application as well as server end. A well-managed website is a secure website. By putting it into practice to do regular checks, you can be certain you’re doing your very best to lock down your site.
If your website runs on WordPress, then I have the perfect solution for you. I offer special WordPress Hosting starting at just $8.4 per month. This package offers the following benefits:
- Auto-Backups – Backups are your lifesaver when all your security measures did not prevent your site from being compromised. Just travel back in time and restore the last working version of your site. If your website does not run on WordPress, you can still use CodeGuard for your backups. I offer CodeGuard starting at just $0.82 per month.
All these features can still be applied to your custom website – just ask me how!
If you have enjoyed this post, please join my mailing list.
This is not a sales email and your info is safe with me! Once a week, I will send you a mail packed with information about the intersection of web technologies, business, and marketing.