Protecting Your Website from Hackers
Did you know that websites are under constant attack from hackers? Usually these attacks happen behind the scenes, and you’ll never know unless you check the technical details in your server’s log files. If you look, or have a tech professional do it for you, you’ll probably be shocked at what you find—numerous unauthorized attempts to access your site’s resources.
Why would a hacker care about your blog or basic website? It’s because they want to harness your hard work for their personal gain. Although some hackers are simply out to do damage, most of them are after your resources. They want to use your site as a launch pad for viruses and spam, or simply free computing power, courtesy of you. That’s why protecting your website from hackers is critically important.
Fortunately, there are quite a few things you can do to beef up your website security. Some of them are quite simple to implement, while others require deeper technical know-how. If you need a helping hand, the professionals at TechTe.am are always ready to help.
Tip #1: Make regular backups
While this isn’t going to keep hackers out, creating and following a backup plan will give you a fast path to recovery should they get in. Backups can be run manually or be configured to run automatically. If you’re using a CMS like WordPress or Drupal, you can install a module to handle it for you. Otherwise, it can often be set up through your hosting control panel. Backups should be set to run at least weekly. More often if your site has frequently changing content.
Having a system that automatically creates backups is only step one. You must also regularly spot check your backups to ensure that they will perform when you need to use one. Spot checking your backups when your site is working just fine may seem tedious, even unnecessary, but when your site is vandalized and you find that you can’t restore from your previous backup, you’ll need to hire a freelancer or a malware removal company to go through your site line by line to clean up the mess… that is, if the vandals left anything behind. A small test one a month or so will suffice to make sure that any attempt to deface your site can be recovered from quickly.
Tip #2: Update, update, update
Cybercriminals love outdated software. As soon as any online software is launched, they begin probing it for security holes and weak spots. They build up databases of these flaws and look for sites that run the affected software so they can break in. Fortunately software developers monitor these things too. They update and patch applications to eliminate the weak spots. This only helps sites that take the time to update their software.
All of the software behind your site is potentially at risk and should be patched if any risks are identified. That includes the email software and web server application running in the background.
It’s also important to update front end software, such as WordPress or Joomla, whenever security patches are released. Remember to update all CMS plugins as well. Usually you can do this yourself with just a few clicks in your administration panel. That said, if you update WordPress, your theme, or any plugins and find that you’ve accidentally broken your site, having an excellent backup solution in place will save you here as well.
Tip #3: Take passwords seriously
Everybody knows it’s important to use a strong password, but lots of people use weak ones either by mistake or out of laziness. Hackers have all kinds of automated tools for guessing passwords. Don’t make their work any easier. Make sure all logins to your system adhere to the criteria:
- at least 8 characters long (more is better)
- include at least one each of: upper case letter, lowercase letter, special character (such as ! or _), and digits
- avoid keyboard patterns (such as asdf or jkl;)
- don’t include personal information, such as birth date or year
- aren’t used for anywhere else (don’t repeat logins)
Although strong passwords aren’t exciting or sexy cyber tools, they are an important step toward protecting your website.
Tip #4: Close user sessions
If your site tracks users through sessions by prompting them to log in or assigning them a guest ID, make sure to build in protections for that data to prevent it from being hijacked. Otherwise any time a user logs onto your site through an unsecured connection, or forgets to log out on a public computer, they’re leaving themselves and you open to the session being hijacked. Easy ways to close this loophole include adding a prominent Log Out button to your site to remind users, don’t store large objects or critical information in sessions cookies, and automatically log users out after a fixed period of inactivity.
Tip #5: Don’t give away secrets in error messages
What happens when a user attempts to access a nonexistent page on your site or a program throws an error? If you don’t know, try to find out. Error pages sometimes include information you really don’t want outsiders to know. For example, if security isn’t properly configured, PHP programs that encounter an error may display the full path to the exact location of that program on your server, a big no-no.
The contents of error pages can be defined several different ways. Sometimes it’s possible to configure through the hosting interface, but in other cases more behind-the-scenes work is required, such as modifying configuration files like php.ini.
Tip #6: Enable HTTPS
Web servers commonly use hypertext transfer protocol (HTTP) to transmit data to and from users. The problem with this default setup is that information is exchanged in clear text. That means it’s open to potential interception and abuse. Nor does an HTTP connection verify that you are really connected to the site you think you are. Another danger spot!
HTTPS (the S stands for secure) addresses these insecurities by verifying connection details and encrypting all data that’s exchanged. When HTTPS is enabled, your website is much more secure. Google uses HTTPS so no one can intercept and read what you’re searching for.
You can tell if a site is using HTTPS by checking the URL (it should start with HTTPS). In addition, a lock icon will appear in the browser’s address bar next to the URL.
Tip #7: Run a security scan
One of the most effective ways to identify potential security holes is to run a security scan. Security scanners probe and assess your website for weaknesses a hacker might manipulate. There are many security tools available, including tools specifically geared to assess particular CMS systems, such as WP Security plugin for WordPress.
Security scanners don’t fix weaknesses, they only identify them. It’s up to you to patch or reconfigure to eliminate the problems.
Tip #8: Verify a firewall is installed and running
A firewall monitors all incoming and outgoing traffic to a server. Traffic is allowed or rejected based on rules defined by the firewall’s settings.
Your web host should have installed a firewall for you, but sometimes the firewall isn’t enabled or the settings need to be tweaked. Check with your host and make sure you have a firewall running. If not, implement one ASAP as this is a first line of defense your site should have protecting your website.
Every site is at risk from hackers, but following these tips will help keep your website safe. If you’re worried about your site’s security, TechTe.am can help. Choose a plan and let us help protect your site today.