Internet Security & your Website
Any webmaster can tell you that security concerns are high on the list of items that demand their constant attention. And the smartest of them realize that while there are direct on-site measures they can take to make their sites more secure, they also need to ensure that they’re doing everything possible on the server-side to augment their security,.
Most hosting services provide advice to their users on measures they can take to protect their sites, some only to server-side issues, others more general. Reputable hosting companies with an aggressive security protocol can be a webmaster’s greatest ally.
Nearly 9,000 sites are taken over each day, to be used in various criminal schemes. In fact, it’s estimated that 61% of the sites used in online criminal campaigns are sites that have been compromised in some fashion, without the site owner’s knowledge.
How to Keep your Site Secure
There is no such thing as 100% secure, however, there are a number of important measures you can implement to make your site more secure against such exploitation. Much like protecting your home or business from break-ins, the goal is to make it so difficult that it’s easier for the malefactors to go elsewhere. Like burglars, they’ll eventually get in, if they’re really determined. Making it difficult slows them down and tests their determination.
Here are some specific recommendations for those that are running their site on a CMS platform, such as WordPress, Joomla or Drupal, to make your sites more secure:
- Ensure that you’re running the most current version of the framework, your theme and all plugins. Exploits are exposed periodically, and developers usually implement a fix promptly. If yours are out of date, your chances of being compromised are greater;
- Don’t keep old themes and plugins that aren’t in use – delete them, especially if they’re not the most up-to-date version. Even plugins and themes that are inactive can present vulnerabilities. If you’re not using it, get rid of it. If not, at least keep it updated;
- Change the default “Admin” login to something unique. This is one of the most common entry points. Your username and password are two levels of security – don’t essentially publish one;
- Use strong passwords. password, pw123 and the like can be discovered very quickly by an experienced hacker. A minimum of 8 characters is recommended, using a random mixture of numbers, letters and symbols, in a mixture of upper and lower case. For most purposes, anything in excess of ten characters is overkill;
- Limit login attempts. There are various methods of limiting the number of failed login attempts before an IP or username is either required to wait for a set time before trying again or is locked out altogether. This is an excellent method of making brute force attacks more difficult;
- Don’t store FTP passwords. FTP access is carte blanche to anyone wishing to plunder a site. That makes it a bad idea to allow any program or service to store your FTP password;
- If you allow registration or comments on your site, it’s a good idea to run a comprehensive spam control script or plugin which checks against a list of known spammer IPs. These can also be configured to report IPs that you find to be attempting to spam, to help others similarly protect themselves;
- Don’t keep SQL database backups on your server. If a hacker can access them, he’ll have all your passwords, even those that are encrypted;
- Set your file permissions to the most stringent levels possible, without sacrificing functionality. For instance, having most of your files set to 640 rather than 755 will limit the changes that can be made to a file by anyone but you. as the file owner. When in doubt, the WordPress Codex is a good guide.
If you’re not running on a CMS framework, many of these suggestions are still applicable. For instance, even with a site that uses no theme or plugins, #4 through #9 will still apply.
Monitoring your site closely, with an eye toward any unexpected behavior, is always a good practice. Unexpected bandwidth consumption may be a sign of a site being hijacked for illicit actions.
And finally, just in case your site is ever compromised, keep regular backups (not on the server), in order to facilitate a quick and painless recovery.