Keeping Your Website Secure In 2016 and Beyond
Apr 15, 2016Whether you’re running a web store, managing a business or just putting up a personal blog for the world to read, there’s a good chance your site isn’t as secure as you believe it is.
Many web owners unknowingly create security risks in their sites, and hackers are ready to take advantage of those risks. That’s why it’s up to you to learn what you can do to protect yourself and your visitors, and implement things like better passwords, website segmentation, security updates and limited file permissions to lock your site down from those that want to harm it.
Update Your Platform Regularly
If you’re relying on a content management system to run your website, something like Wordpress, Joomla or Magento, make sure that you keep it up to date at all times. Each of these platforms is regularly updated to patch up security holes that are found. Sure many updates are for new features, but some will help make your site safer, so keep it up to date.
One Website One Server
One of the worst things you can do is to host many different websites all from the same hosting account if the files are kept in the same container. The more sites you cluster together, the more potential security holes. Not to mention that you’re creating a more desirable target for hackers. Instead, you should either seek out hosting accounts that keep each website segmented in its own personal container through virtualization and separate databases, or buy into multiple hosting accounts to ensure protection.
Set Difficult Passwords
For any of the user accounts on your website as well as your hosting account, it’s important that you set difficult passwords. Hackers will try and brute force their way into website accounts, and they might be successful if you have an obvious password. Instead, pick something that mixes capital and lowercase letters as well as numbers and symbols whenever possible. Consider changing passwords at least once a year to maintain your security over time. For additional security, look into password protecting your file directories.
Just be sure you have those passwords recorded somewhere, so you don’t get locked out of your own website!
Limit Those File Permissions
As the administrator of your own website, you have control over who has access to what. Unfortunately, you might be giving access out to strangers without even realizing it and it all starts on the server itself where your files are stored. If you rely on a cPanel server you can easily go into File Manager and edit permissions for each file by clicking the name and changing permissions. Otherwise, the easiest method to changing file permissions is to FTP into your server files and change the permissions there under the “Permissions” column.
Consider the Following Setup for File Security. Use the suggested settings below to protect your folders and files effectively.
- Directories and Folder – 755
- Each individual File – 644
755 means that only you the owner can write to files, but it still gives everyone else the ability to read and execute the files on your server.
644 means that you can read and write each of the files, but everyone else can only read them.
Choose Extensions Wisely
One of the biggest selling points of a platform like Wordpress is all the extensions available to it. It’s great to be able to decide you want a feature on your website and then download a plugin to add it five minutes later. Unfortunately, many of those extensions create security holes in your site. Be careful to only get extensions when you absolutely need them and to choose popular extensions that have been updated recently whenever possible.
This isn’t a guarantee to keep your site from becoming vulnerable, but by choosing selectively you’ll at least reduce your risks.
Convert to a Full HTTPS Website
This change isn’t as simple as the ones outlined up above, but it’s one of the most effective ways to protect your website. Many sites today still rely on HTTP or Hyper Text Transfer Protocol, and only utilize HTTPS (Hyper Text Transfer Protocol Secure) when running web stores and other very delicate actions. This is a mistake. It makes sense to use this more secure protocol for your entire website, and that’s exactly what you should do for enhanced security.
You’ll have to purchase an SSL Certificate and adjust all your website’s links to HTTPS.
The process will require some 301 redirects and maybe some help from the hosting company that you rely on. Make sure that you make the move during an off time for your site, because there will likely be some downtime involved.
Talk with your web hosting company to verify that HTTPS is supported and that you can do this without switching to someone else first.
When you create a website using one of the many CMS solutions today, you’ll start off with a single admin account that has access to everything. These accounts are the ones you really don’t want to be compromised. After creating your website take some time and change obvious admin account names from admin to something less obvious like your personal name.
Also, add multiple accounts to your platform, even if you don’t plan on using them for anything. This gives hackers more than one target to deal with and makes picking an account with administrative rights more difficult.
You could even set up a decoy account called admin or administrator, with limited privileges. That’s what hackers will attack first most of the time. This is known as security by obscurity. This method is not enough alone, but offers an additional layer of protection when used with other strategies.
Stick to Secure Hosting Services
This one should be obvious but always deal with a secure hosting service when trying to find someone to house your website. You must make sure that your delicate site information, such as database files and other core files are protected behind a clustered firewall. The provider should rely on up-to-date technology and employ security professionals to keep watch of the server network at all times. Finally, this delicate information should be backed up regularly to keep information from being lost during an emergency or attack.
By performing these tasks, you’ll have a much more secure website. Too many site owners place themselves at risk by downloading unproven plugins, allowing strangers access to delicate files, and relying on simplistic passwords. These simple remedies should help make your site more difficult to breach, and give you peace of mind.
It’s important to know that this isn’t an extensive list of secure practices. Internet security is ever-changing, and by staying on top of current trends, you can minimize the risk of someone gaining unauthorized access to your site.
Talk with a web development firm that is knowledgeable in the field of web security to keep your business safe.