Your website’s security can be just as important as its appearance and functionality, especially if you store any personal data, such as credit card details, email addresses, mailing addresses, etc. If you’ve ever been the victim of a hacker, then you know just how damaging and frustrating a security breach can be. Thankfully, there are lots of steps you can take to make your website significantly less vulnerable to hackers, and they don’t require a lot of technical knowledge.
I’ve provided 10 tips to help you make your website more secure–while this is by no means an exhaustive list of all the steps you can take to enhance your site’s security, it is a great starting point for most users.
Open source applications like Magento, WordPress and phpBB are great for building blogs, online stores, and forums, but you have to remember to keep these scripts up-to-date. Older versions of open source applications can make your website vulnerable to hackers, so it’s important to upgrade to the latest version of any script you use for your website.
If you’ve installed a script using Softaculous or Installatron, you will get an email every time a new version is released. Also, most open source applications will tell you a new version is available when you login to the admin area.
Before you upgrade to the latest version, be sure to make a backup of your website, just in case the newest version causes your website to break.
Remember when you installed WordPress because you thought your business needed a blog to go with your online store? Well, if you installed WordPress 2 years ago and you still haven’t found the time to write a single post, then it’s time to delete this installation.
Why? Unlike your primary website–maybe your Magento store or phpBB forum–you probably don’t visit your unused blog very often, which means you’re less likely to realise the installation has been hacked. Plus, if you’re not updating an installation of an open source application, then it’s vulnerable to hackers because it’s out of date.
So, just uninstall this application–you can always reinstall another version of WordPress when you finally find the time to write some blog posts!
According to a report by Imperva, a leading Data Security firm, the most commonly used passwords are consecutive digits, such as 1234567, adjacent keys, such as qwerty, dictionary words like password and princess, slang words, and proper names like Nicole and Daniel. If the password you use for the admin area of your website falls into any of the categories listed, then you should change it immediately.
Ideally, you want to use randomly generated passwords, which are usually just combinations of numbers, letters, and special characters. To create a randomly generated password, you can use the Random Password Generator from random.org.
Whether you use Magento, WordPress or Joomla, if you have plugins or extensions on your website, then make sure to keep them up-to-date. Like open source applications, old versions of plugins and extensions are vulnerable to hackers.
Before upgrading your plugins and extensions, be sure to make a backup of your site, just in case there’s an issue with the latest version of the plugin.
If you want to prevent your website or email account from getting hacked, never share your passwords with anyone. With most open source applications, you can easily create usernames and passwords for different users, so there’s no need to share your information with anyone. When an employee or coworker leaves, you can simply delete their account. Also, it’s a good idea to change any passwords they may have had access to.
To help keep your website secure, change your passwords approximately every 3 months. If you’ve had a security breach, or an employee has left, then you need to change your passwords right away.
When you install an open source application like Magento or WordPress, it will create a default admin account with the user name of admin. People need both your user name and password to get into the admin area of your account–if you use the default user name, then you’ve already given them half of the information they need to gain access (granted, figuring out the password should be considerably more difficult).
Change the user name for this account right away, and don’t make it something people will be able to guess (such as your first name).
One way to deter hackers is to make it difficult for them to figure out which open source application you’re using on your site. When you install a script such as Magento or WordPress, the default favicon will be the application’s logo. If you don’t change your favicon to something associated with your own brand, then hackers will immediately realise which script you’re using.
Also, check to make sure your themes and templates don’t include anything that states which application you’re using, such as ‘Powered by WordPress’. This could make your site a target for WordPress hackers, so be sure to remove this right away.
Did you know you can prevent users from unknown IP addresses from accessing your site’s admin area, simply by creating or editing an .htaccess file? The first step is figuring out the IP addresses of anyone who legitimately needs to access the admin area, which can be done using WhatIsMyIP.com. Make sure to get the IP addresses of the locations they are likely to access the admin area from, such as work, home, school, etc.
Once you have these IP addresses, you will need to create or edit the .htaccess file for the admin area of your open source application. Do not edit the main .htaccess file for the script–if you edit the main .htaccess file instead of the .htaccess for your admin area, then you will prevent anyone, other than visitors from the specified IP addresses, from being able to visit your website.
You can use an FTP client to see if your application already has an .htaccess in the admin area. If so, then you can download, edit, and upload this file. If you don’t have an existing .htacess file for your admin area, then simply create a file named .htacess using a text editor like Notepad.
In order to allow users from certain IP addresses to access the admin area, you will need to enter the following code:
allow from 000.000.000.000
allow from 000.000.000.000
allow from 000.000.000.000
Replace 000.000.000.000 with the IP addresses of people who legitimately need access to the admin area of your site. Once you’ve added a line of code for each IP address, simply upload the file using an FTP client to the folder for your site’s admin area, and only users from the specified IP addresses should be able to access the backend of your site.
If you have multiple FTP accounts for your website, then be sure to delete any FTP accounts you’re not using. Why? Because an FTP account enables users to download, upload, delete and modify website files, so it’s an important to only have the number of FTP accounts you actually need. Every FTP account is another way for a hacker to gain access to your website’s files, so you want to limited the number of accounts as much as possible.
Unused accounts can easily be deleted via cPanel under ‘FTP Accounts’, so make sure to get rid of any unecessary accounts.
If your website does get hacked, you should contact your web hosting provider right away. Your web hosting provider should be able to tell you the extent of the damage caused by a hacker, as well as provide recommendations on the steps you need to take to make your site usable and secure.
In some instances, hacked sites will need to be restored from a backup, and then steps will need to be taken to secure the site. While most web hosting providers regularly make backups of websites, it is important for users to take their own backups as often as possible, especially after any major changes to a website, just in case their website gets compromised by hackers.