The sad truth of the matter is that there are plenty of ways for intruders (and those with bad intentions) to cause website owners a ton of grief. This can range from attacking your website for the purpose of simply taking it down to attempting to hack it to spread malware. To combat this, it's important to be prepared. In this article, we'll share with you how to secure a website in 5 steps.
In fact, a study conducted by WP White Security found that 73% of all WordPress installations contained known vulnerabilities that would have quickly and easily been found through the utilization of automated tools.
It’s these types of security holes that have resulted in cyber criminals hacking into over 170,000 back in 2012 alone – a number that is probably even higher by now.
What makes websites vulnerable to hacking?
Websites are appealing targets to hackers for a wide variety of reasons, mainly the number of weak entry points – such as the numerous plugins available for CMS like WordPress.
Many people assume that, because CMS like WordPress and Drupal are highly popular and recognized names, there must be some form of protection. They can’t just leave all of their users vulnerable, right?
CMS are inherently open to attack because of the fact their foundation is an open source framework. These types of shared development environments have myriad benefits, but they also come with just as many issues.
Because of the popularity of the top CMS available out there, the security holes within these systems are actively being identified and targeted, both by the good guys (security research teams) and the bad guys (cyber criminals).
Once these holes have been found, they turn that particular CMS into treasure troves of data for cyber criminals, even to the point of creating an entry point for automated attacks on a massive scale.
To add salt to the wound, there are users who use the same passwords for all of their accounts, or even just use weak passwords. These leave their admin accounts open to attacks, even if they aren’t aware of it. This can result in their websites being injected with all sorts of malware and escalating the issue beyond the point of control.
These issues can even result in the websites becoming blacklisted by Google and other search engines, which adversely affects their business or brand as a whole.
How to get started securing a website
There are numerous things users can do to secure a website against vulnerabilities and fortify their systems from attack.
Using a strong password
To begin with, if your website is powered by a popular CMS such as WordPress, you want to makes sure that you secure it with a very strong password. Hackers and anyone using a WordPress website themselves are very familiar with how to access the administration interface and begin attempting to login.
Even if you are not using WordPress, it doesn't take much effort to scan a website for a login / admin interface so be sure that if someone DOES find this interface, they have no chance of logging in and taking over your website.
How to set up a strong password to secure a website
Always secure with a strong password to make this process harder for hackers and other cyber criminals. Additionally, you’re going to want to hash the password(s) you use by implementing a slow hashing algorithm.
BONUS: Block the IP for at least one minute after x amount of password authentication failures. Three is the recommended amount of attempts before IP blocking.
Use a secure password generator to create something that is next to impossible to guess: LastPass Secure Password Generator
Having a firewall in place is another important way to secure a website
Setting up a firewall will not only further secure your website / CMS, but it will also help you keep an eye on suspicious activity and track them by providing a related IP address for the source of that activity.
Once you’ve detected and found suspicious activity, you can then blacklist the IP the firewall provided.
Having said that, if you are not the type who wants to have to do these things manually, then it's a good idea to put in place a security service to do so for you. Most of the offerings out there are relatively reasonable in price and will save you a lot of headaches.
Our recommended website security company:
I recommend putting in place a website security service such as SiteGuarding.com to keep your website safe from hacking attempts. SiteGuarding is a security service that protects your website against malware and hacker exploits.
3 . ALWAYS Backup your CMS
This is one of the most essential aspects of CMS and website security and is actually just an overall good habit to have.
Have a backup system in place that will make it possible to recover your website in the event something happens. Always make sure your backups are updated as much as possible to avoid any security vulnerabilities or further problems down the road.
BONUS: Make sure your CMS and any extensions it may have are updated. These upgrades should be double-checked to ensure they are fully compatible with your system before you allow or make them. Of course, you’re always going to want to backup your CMS before conducting these updates.
If you currently don't have a means of backing up your website, we recommend going with a solid hosting company that offers this service for free.
Here are a few we recommend that have daily backups:
4 . Protect against SQL-injections
An SQL-injection is a cyber attack that embeds malicious code within your CMS and its backend database. Once it’s in there, that malicious code then creates database query results and / or actions that you definitely do not want executed.
There are several types of SQL-injections and they enable the cyber criminal to do a whole variety of things. These include:
- Editing, deleting, reading, or adding to the content of your CMS
- Accessing and reading source code from the files on the CMS server
- Write files to the server
While it is true that any one of those things relies heavily upon the capabilities of the cyber criminal, any SQL-injection can still lead to you losing control of your database and web server.
In order to prevent this from happening, use prepared statements, as these separate the structure and data. This allows the SQL server to interpret them without being open and vulnerable to a hacker that is trying to alter the structure of the SQL query for their own malicious purposes.
The best way to protect against these is to implement a website security service that will keep your site protected against attacks. Here's an example of an excellent one: Site Guarding
5 . Get an SSL Certificate
An SSL certificate (secure sockets layer) is the standard security technology that is used to produce an encrypted link that goes between the web server and the browser. It is this link that will ensure that the data that goes between the server and the browser will stay private and secure.
Adding an SSL certificate to your domain will not only add an additional layer of security to your CMS, but will also help with SEO because it tends to get your website ranked higher in search engines.
If you don't yet have an SSL certificate, get one here.
Website security is one of those things that can truly be considered a “Catch-22” type of situation.
The more cyber criminals are out there trying to gain access into people’s CMS, the more security researchers crack down on it and come with new methods of protection. The greater the security becomes, the harder the cyber criminals will work to gain access – and they do like challenges.
It’s really an ongoing battle that is seemingly without end.
But, where does that leave you and your CMS?
It’s hard to say for sure where your CMS lies within the cyber criminal-infested waters, but there are things you can do to ensure your CMS is as secure as you can possibly make it. These five methods of security will help reduce threats to your CMS and help keep your data out of jeopardy.
I'm a tech geek that began CMS Critic in 2008 to help focus on the Content Management Industry. Since that time, the industry has changed and this site has changed with it. Here you'll find my personal musings, rants and raves, reviews and more on all sorts of topics.