Tips to Protect Your Company Website from Hackers
In recent years there has been a proliferation of great tools and services in the web development space. Content management systems (CMS) like WordPress, Joomla!, Drupal and so many other allow business owners to quickly and efficiently build their online presences. Their highly extensible architectures, rich plugin, module, extension ecosystem have made it easier than ever to get a website up and running without years of learning required.
This is undoubtedly a great thing; however, an unfortunate side effect is that now there are many webmasters who do not understand how to make sure their website is secure, or even understand the importance of securing their website. Making your website live is like unlocking the door to your premises with your office and safe open: Most of the people who visit your physical building will never even know that all of your data is there to discover just by walking in. Occasionally you will find someone with malicious intent who will walk in and steal your data. That is why you have locks on doors and safes.
In addition to regularly backing up your files (which you should already be doing, for various reasons), taking the following easy steps will help keep your website safe:
Keep software up to date
It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them. Hackers can scan thousands of websites an hour looking for vulnerabilities that will allow them to break in. They network like crazy, so if one hacker knows how to get into a program then hundreds of hackers will know as well.
Toughen up access control.
The admin level of your website is an easy way into everything you do not want a hacker to see. Enforce user names and passwords that cannot be guessed. Change the default database prefix from “wp6_” to something random and harder to guess. Limit the number of login attempts within a certain time, even with password resets, because email accounts can be hacked as well. Never send login details by email, in case an unauthorized user has gained access to the account.
Avoid keeping simple and common password and even if it is not in the list of most common passwords there are a lot of misconceptions about “strong” passwords. When it comes to choosing a password there are 3 key requirements that should always be followed:
- Password should be 12+ characters long.
- Passwords should be random.
- Each password should be unique (do not keep the same password for various sites)
You may be wondering that how are you going to remember each and every password and that too 12+ characters long! Well, the best part is, you don’t need to remember them all, and in fact you should not even try. The answer is to use a password manager such as “LastPass” (online) and “KeePass 2” (offline). These brilliant tools store all your passwords in an encrypted format and can easily generate random passwords at the click of a button. Password managers make it much easier to use strong passwords than it is to memorize a couple of decent passwords.
A server for A site
Do not get tempted by your “unlimited” web hosting plan, and host multiple site on a single server. Hosting many sites in the same location creates a very large attack surface. Not only can this result in all your sites being hacked at the same time, it also makes the cleanup process much more time consuming and difficult. The infected sites can continue to re-infect one another in an endless loop.
Change the Default CMS Settings
Today’s CMS applications, although easy to use, are horrible from a security perspective for the end users. By far the most common attacks against websites are entirely automated, and many of these attacks rely on the default settings being used. This means that you can avoid a large number of attacks simply by changing the default settings when installing your CMS of choice. It is usually easiest to change these default details when installing your CMS, but they can be changed later.
Tighten network security.
Computer users in your office may be inadvertently providing an easy access route to your website servers. Ensure that:
- Logins expire after a short period of inactivity.
- Passwords are changed frequently.
- Passwords are strong and NEVER written down.
- All devices plugged into the network are scanned for malware each time they are attached.
Install a web application firewall.
A web application firewall (WAF) can be software or hardware based. It sets between your website server and the data connection and reads every bit of data passing through it. Most of the modern WAFs are cloud based and provided as a plug-and-play service, for a modest monthly subscription fee. Once installed, web application firewall provides complete peace of mind, by blocking all hacking attempts and also filtering out other types of unwanted traffic, like spammers and malicious bots.
Secure Admin Email Address
Keep the admin email address used to login to your webserver, CMS, database etc. away from the public eye. Use a totally different address in your contact page. This will help from not being scammed by a phishing email disguised to have been sent by your hosting company or domain registrar.
Use parameterized queries
One of the most common website hacks many sites fall victim to are SQL injections. SQL injections can come into play if you have a web form or URL parameter that allows outside users to supply information. If you leave the parameters of the field too open, someone could insert code into them that lets them hack into your database, which may well contain sensitive customer information, like their contact info or credit card numbers.
There are a number of steps you can take to protect your website from SQL injection hacks; one of the most important and easiest to implement is the use of parameterized queries. Using parameterized queries ensures your code has specific enough parameters so that there’s no room for a hacker to mess with them.
As a consumer, you may already know to always look for the green https in your browser bar any time you’ll be providing sensitive information to a website. Most consumers know to recognize those five little letters as an important shorthand for security: they signal that it’s safe to provide financial information on that particular webpage. If you have an online store, or if any part of your website will require visitors to hand over sensitive information like a credit card number, you have to invest in an SSL certificate. The cost to you is minimal, but the extra level of encryption it offers to your customers goes a long way to making your website more secure and trustworthy.
Being aware of these issues and understanding them will provide you with valuable insight into how the underlying technology works and help to make you a better web master/site operator.