As a brand with an online presence, security is of top priority. Hackers are always looking for loopholes and ways to compromise the security of your site. So, how can you secure your website? So, there are two levels that you can lock-down your website on and those are application and server.
Let’s discuss how you can secure your website on each level.
1. Security on Application level
Update script regularly: One of the first steps to secure your website is to update the script you’ve installed. Additionally, your focus should be on ensuring that any released update is installed to ensure you’ve plugged vulnerabilities. Since many of these tools are created on open software programs, they’re readily available to hackers however, this is not really a problem. Open source also has a huge advantage in that, hundreds and thousands of well-intentioned programmers have the opportunity to test for bugs and vulnerabilities and therefore could point out security issues that you make have overlooked. Ensuring you have the latest script updates minimizes the risk of intruders getting in. If you have third-party softwares on your website like a CMS or a forum, ensure you keep track of security patches through a mailing list or RSS feed detailing security issues. Tools like Composer, npm help manage software dependencies and vulnerabilities. It’s important to have your dependencies up to date. Try tools like Gemnasium to get notifications about vulnerabilities.
Use strong passwords and change passwords often: Yes, this seems basic but it’s important. If your password is easily guessable, you’re in trouble. According to the Telegraph, “123456” was the most commonly used password of 2016 followed by
Ensure your passwords are a combination of letters, both uppercase and lowercase, special characters and numerics. A truly secure password can prevent a security breach.
Delete installation folder: Once you’re done with the installation, ensure you delete the installation folder on your system to prevent hackers from any access or opportunity to get their hands on the folder and run the installer again. This is important because once in, the hacker can erase your database and take control of your website. In the case that you do not want to delete the folder, consider changing the name to avoid easy recognition. We’ve highlighted this in our earlier blog on Fault in the Default: 6 Simple Default Settings Tweaks to Secure Your WordPress site.
Use security plugins and website security tools: Plugins can boost the functionality of your script. There are tons of plugins that give your website and extra layer of security. Some website security tools that are useful are:
- Netsparker – for testing SQL injection and XSS
- OpenVAS – for testing known vulnerabilities
- SecurityHeaders.io – to quickly report security headers a domain has enabled
- Xenotix XSS – to confirm if your site’s inputs are vulnerable in web browsers
Change database table prefix: A blog or a website has a default database table prefix that every hacker is aware of. For example, WordPress has ‘wp’ as the table prefix which is very well known and therefore an easy entry point for intruders. A bunch of default settings like these on WordPress sites unknowingly expose your website to threats. Our earlier blog post calls each one out.
Limit error message information: The information you share on the error message can often be misused. Ensure you provider minimal information without mentions of the problem, server information like API keys, database passwords as access to this information can make hacking quite easy.
2. Security on Server level
Anti-Malware: Malware compromises passwords by stealing them when accounts are attacks. Malware can erase passwords used and stored by FTP and other programs. To protect your server against such attacks, ensure you install anti-malware and run scans on all computers which access the account. There are a number of scanners available depending on your operating system. SiteLock is a super simple and a fantastic security solution for scanning and malware removal. At ResellerClub, we’re offering SiteLock starting at just $0.99
Server Hardening: Server hardening is the process of enhancing server security through a number of ways to make the server environment secure. Hardening servers make them more resistant to server issues. Some ways to harden servers include data encryption, disabling unwanted SUID and SGID binaries, using security extensions, minimizing unnecessary software, hardening sysctl.conf, installing Root Kit Hunter and Chrootkit hunter etc.
Port Blocking: Knowing which ports to block is important for security. Here’s a list of ports used by well-known Trojans highlighted by the SANS Intrusion Detection FAQ and some guidelines for shutting down these known vulnerabilities.
Firewall: A firewall prevents all network access to your server. The Plesk firewall is easy and to set it up, requires you to follow these steps: Navigate to server > Firewall > Modules > Firewall. If you have a static IP address, you can create rules so that the server will only allow access from your IP address at your home and/or office.
PHP Upgrades: Most shared hosting providers offer various versions of the open source programming language, PHP butan old version could expose your site to attacks. According to w3techs, PHP version 5.3 is used by 31.1% and 5.4 is used by 29%. Both versions have reached the end of its life and could pose a big security threat. The latest version of PHP currently is 5.6 which released in August 2014 and is valid till 31st December, 2018. Here’s more on how you can upgrade your website php version.
MySQL Upgrades: While there are many implementations of the SQL database language available on Linux and Unix-like systems, one of the most popular is MySQL. However, if configured incorrectly, this tool can be a security liability. Here’s more on how to secure MySQL.
SSH access: SSH keys are cryptographic keys used to authenticate to an SSH server as an alternative password-based login. This kind of authentication is completely encrypted. They’re a lot more secure than passwords and include significantly more combinations for a hacker to run through. Many SSH key combinations are considered almost impossible to crack mostly by computing hardware because it would require too much time to run through possible matches.
Use Encryption / SSL (HTTPS in links): Since January 2017, Google has begun flagging websites without digital certificates and HTTPS links as ‘Not Secure’. This mandate has been implemented to tighten security across networks. HTTPS guarantees users than the information passed from one network to another is completely encrypted and can be read by no one. This is especially necessary for sites that require credit card and personal information.
Apart from being important for your visitors, it’s critical to secure your site too. A login form will often set a cookie which is sent with every other request to your site that a logged in user makes and is used to authenticate those requests. An intruder would be able to imitate a user and take over your user’s login session and make you vulnerable to attacks. To safeguard against such attacks consider using HTTPS throughout your site.
Server side validation / form validation: It is best to do validation on both the browser and server side. The browser can catch failures like mandatory fields that are empty and numerics in text fields. While these can be bypassed, deeper validation on the server side and failure to do so could lead to malicious code being inserted in your database. To prevent this and secure your server, a validation is necessary.
A confirmation field is a good practice to allow the user to input additional confirmation for things like passwords. This ensures that the customer puts in the right information.
The key to securing your website is to regularly audit your site – both on the application as well as server end. A well managed website is a secure website. By putting it into practice to do regular checks, you can be certain you’re doing your very best to lockdown your site. CodeGuard is a great solution for automatic backups in the cloud with full website resortation and to monitor daily changes so you never have to lose data in case of a security compromise. We at ResellerClub offer CodeGuard starting at just $0.98. Check it out!
Got more tips on how to tighten website security? We’d love to read about it in the comments section below.