Call us 7am to midnight (GMT)
02037453658

10 Tips for Keeping Your Website Secure

  (by )

Your website’s security can be just as important as its appearance and functionality, especially if you store any personal data, such as credit card details, email addresses, mailing addresses, etc.  If you’ve ever been the victim of a hacker, then you know just how damaging and frustrating a security breach can be.  Thankfully, there are lots of steps you can take to make your website significantly less vulnerable to hackers, and they don’t require a lot of technical knowledge.

I’ve provided 10 tips to help you make your website more secure–while this is by no means an exhaustive list of all the steps you can take to enhance your site’s security, it is a great starting point for most users.

Keep Your Scripts Updated

Open source applications like Magento, WordPress and phpBB are great for building blogs, online stores, and forums, but you have to remember to keep these scripts up-to-date.  Older versions of open source applications can make your website vulnerable to hackers, so it’s important to upgrade to the latest version of any script you use for your website.

If you’ve installed a script using Softaculous or Installatron, you will get an email every time a new version is released.  Also, most open source applications will tell you a new version is available when you login to the admin area.

Before you upgrade to the latest version, be sure to make a backup of your website, just in case the newest version causes your website to break.

Delete Any Unused Installations

Remember when you installed WordPress because you thought your business needed a blog to go with your online store?  Well, if you installed WordPress 2 years ago and you still haven’t found the time to write a single post, then it’s time to delete this installation.

Why?  Unlike your primary website–maybe your Magento store or phpBB forum–you probably don’t visit your unused blog very often, which means you’re less likely to realise the installation has been hacked.  Plus, if you’re not updating an installation of an open source application, then it’s vulnerable to hackers because it’s out of date.

So, just uninstall this application–you can always reinstall another version of WordPress when you finally find the time to write some blog posts!

Use Passwords that Are Difficult to Guess

According to a report by Imperva, a leading Data Security firm, the most commonly used passwords are consecutive digits, such as 1234567, adjacent keys, such as qwerty, dictionary words like password and princess, slang words, and proper names like Nicole and Daniel.  If the password you use for the admin area of your website falls into any of the categories listed, then you should change it immediately.

Ideally, you want to use randomly generated passwords, which are usually just combinations of numbers, letters, and special characters.  To create a randomly generated password, you can use the Random Password Generator from random.org.

Update Your Plugins & Extensions

Whether you use Magento, WordPress or Joomla, if you have plugins or extensions on your website, then make sure to keep them up-to-date.  Like open source applications, old versions of plugins and extensions are vulnerable to hackers.

Before upgrading your plugins and extensions, be sure to make a backup of your site, just in case there’s an issue with the latest version of the plugin.

Don’t Share Your Passwords with Anyone

If you want to prevent your website or email account from getting hacked, never share your passwords with anyone.  With most open source applications, you can easily create usernames and passwords for different users, so there’s no need to share your information with anyone.  When an employee or coworker leaves, you can simply delete their account.  Also, it’s a good idea to change any passwords they may have had access to.

Change Your Passwords Regularly

To help keep your website secure, change your passwords approximately every 3 months.  If you’ve had a security  breach, or an employee has left, then you need to change your passwords right away.

Don’t Use the Default User Name

When you install an open source application like Magento or WordPress, it will create a default admin account with the user name of admin.  People need both your user name and password to get into the admin area of your account–if you use the default user name, then you’ve already given them half of the information they need to gain access (granted, figuring out the password should be considerably more difficult).

Change the user name for this account right away, and don’t make it something people will be able to guess (such as your first name).

Don’t Advertise the Script You’re Using

One way to deter hackers is to make it difficult for them to figure out which open source application you’re using on your site.  When you install a script such as Magento or WordPress, the default favicon will be the application’s logo.  If you don’t change your favicon to something associated with your own brand, then hackers will immediately realise which script you’re using.

Also, check to make sure your themes and templates don’t include anything that states which application you’re using, such as ‘Powered by WordPress’.  This could make your site a target for WordPress hackers, so be sure to remove this right away.

Limit Access in .htaccess File

Did you know you can prevent users from unknown IP addresses from accessing your site’s admin area, simply by creating or editing an .htaccess file?  The first step is figuring out the IP addresses of anyone who legitimately needs to access the admin area, which can be done using WhatIsMyIP.com.  Make sure to get the IP addresses of the locations they are likely to access the admin area from, such as work, home, school, etc.

Once you have these IP addresses, you will need to create or edit the .htaccess file for the admin area of your open source application.  Do not edit the main .htaccess file for the  script–if you edit the main .htaccess file instead of the .htaccess for your admin area, then you will prevent anyone, other than visitors from the specified IP addresses, from being able to visit your website.

You can use an FTP client to see if your application already has an .htaccess in the admin area.  If so, then you can download, edit, and upload this file.  If you don’t have an existing .htacess file for your admin area, then simply create a file named .htacess using a text editor like Notepad.

In order to allow users from certain IP addresses to access the admin area, you will need to enter the following code:

allow from 000.000.000.000
allow from 000.000.000.000
allow from 000.000.000.000

Replace 000.000.000.000 with the IP addresses of people who legitimately need access to the admin area of your site.  Once you’ve added a line of code for each IP address, simply upload the file using an FTP client to the folder for your site’s admin area, and only users from the specified IP addresses should be able to access the backend of your site.

Delete Unused FTP Accounts

If you have multiple FTP accounts for your website, then be sure to delete any FTP accounts you’re not using.  Why?  Because an FTP account enables users to download, upload, delete and modify website files, so it’s an important to only have the number of FTP accounts you actually need.  Every FTP account is another way for a hacker to gain access to your website’s files, so you want to limited the number of accounts as much as possible.

Unused accounts can easily be deleted via cPanel under ‘FTP Accounts’, so make sure to get rid of any unecessary accounts.

What to Do if Your Site Gets Hacked

If your website does get hacked, you should contact your web hosting provider right away.  Your web hosting provider should be able to tell you the extent of the damage caused by a hacker, as well as provide recommendations on the steps you need to take to make your site usable and secure.

In some instances, hacked sites will need to be restored from a backup, and then steps will need to be taken to secure the site.  While most web hosting providers regularly make backups of websites, it is important for users to take their own backups as often as possible, especially after any major changes to a website, just in case their website gets compromised by hackers.

12 Comments

  1. On February 6, 2012 at 1:40 pm

    Steve said:

    Thank you Cat, at least 2 security tips in there i didn’t know about.
    Please keep publishing more as and when you get them.
    thank you
    Steve

  2. On July 14, 2011 at 7:42 pm

    IT Support said:

    You can also with most CMS’s (wordpress and joomla) use directory traversal to make the config file sit outsite of the public_html folder.

    Another trick that I’ve used is to disable unwanted (and potentially dangerous) php calls using the disable_functions directive…. I’ve previously used;

    disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

  3. On July 10, 2011 at 6:30 pm

    pubs in bolton said:

    Great post again, iam glad i found your blog its full of useful information, i hadn’t even thought about my website being hacked, Thanks for the tips

  4. On June 2, 2011 at 6:16 am

    turkey tourism said:

    This is important especially when you are downloading database backups or configuration files which contain user names and passwords, etc. and we have to secure our website using tools.

  5. On May 31, 2011 at 9:24 am

    Stefan Lalev said:

    Thx for the tips

  6. On May 30, 2011 at 2:45 pm

    locker expert said:

    I’m totally paranoid about my site getting hacked. So far I have been lucky but I shant be taking any chances in the future. I also have a WordPress blog and I keep hearing that they are getting hacked.

  7. On May 24, 2011 at 9:27 am

    Rajasthan Tours said:

    Hi i found you blog on bing/msn and found it both interesting and lnformative i will come back again as i have Bookmarked it because i too want to make a website and install on wordpress. I Was not aware security Concern that have mentioned here………

  8. On May 20, 2011 at 12:35 pm

    Antonio said:

    Last month my web was down by crackers (a out of date script)

    Thanks for your tips

  9. On May 18, 2011 at 6:42 pm

    Jesse said:

    A couple of my sites were hacked recently and while researching solutions I came across this post. I use WordPress on all my sites and after reading your article I checked my plugins and on my older sites a few of the plugins were out of date. I am now trying to be more diligent in keeping on top of plugin updates. Thank you for the great article and tips!

  10. On May 11, 2011 at 12:16 pm

    Oliver said:

    Very useful tips. Not only for the sake of the website but, as you mention, for the privacy of the personal data that might be stored. In Spain there are very severe fines if any personal data is leaked from the website. Thanks for the advice 🙂

  11. On May 10, 2011 at 11:57 am

    Rachel@organo gold said:

    You have mentioned that contact the service provider in case your website is hacked. But I feel we can make use of WordPress Data Plugin which works very safely & securely. They work on various platforms & have proper security to carry on work in an easier manner. I feel that is the best part. I find your article to be one of the best on this site, Cat. Classically written & explained… Thanks!!!

  12. On May 3, 2011 at 7:03 pm

    Steve said:

    6 of my sites were recently hacked which surprised me quite a bit as I always update the software as soon as a new release comes out. I did find a plugin called Secure WordPress, but one was even hacked after that was installed. My hosting company was not helpful in finding a solution like you state. I can quickly fix the sites as the changes are minimal. My newest solution is to create an admin account that has no privileges. I will see if this solves the problem.