Best practices for securing your website
The web seems like a dangerous place lately, doesn’t it? We’re constantly hearing about some new piece of malware, or a website that was hacked and defaced, or a new vulnerability in what was once thought to be a secure protocol. I wouldn’t blame you for being paranoid -- after all, to hear the media tell it, your site’s under attack by criminals and ne’erdowells from all sides.
Here’s the thing -- if you’ve taken all the necessary steps to keep your site safe, you actually don’t have a whole lot to worry about. And that’s where we come in. Today, we’re going to talk about some best practices for securing your site, and protecting it against everything from infected clients to ignorant users. Let’s get started.
If You Use HTTPS, Keep Your Security Certificates Up to Date
First thing’s first, if you’re still using SSL 3.0 or an older version of TLS, do me a favor and smack yourself upside the head -- then update. They’re obsolete and riddled with vulnerabilities like BEAST, POODLE, and CRIME. What’s more, with Google pushing for SSL certificate transparency, it seems quite likely that whether or not you’re using a current certificate will soon become a ranking factor, alongside whether or not you use HTTPS at all.
Make Sure Your Web Design/Development Tools Are Properly Patched
Keeping with the theme of up-to-date applications, make sure any tools, frameworks, and platforms you use in the design, development, and management of your site are kept updated with the most current security patches. Otherwise, you’re subjecting your site -- and the information on it -- to a ton of unnecessary security holes. And if you’re targeted by a hacker, that’s bad news for your business.
Strong Passwords: Use Them
It sort of floors me how many people still use simple passwords like "12345" or "password" on the admin accounts of their websites. It’s no secret, after all, that the web is rife with brute force tools designed to seek out and break into sites with weak passwords. Not using a strong, difficult-to-guess password is just asking for trouble.
When developing your password, create something that’s easy for you to remember -- a string of unrelated words, for example. Once you’ve come up with something, run it through a tool like Password Meter. Oh, and one last word of advice -- if you’re using a CMS like WordPress, change the default admin username to something other than "admin".
Use Security Applications
Do you use an antivirus application on your computer? Does your router come with a firewall? Then why wouldn’t your website have the same security features? Installing tools and plugins like spam protection, malware scanners, and web application firewalls is something every webmaster needs to do, regardless of how large their site is.
Address Your Ad Network
I understand that not everyone has control over the ads that display on their site -- but if you’re one of those webmasters that do, then it falls on you to police them. Ad networks remain one of the most frequent delivery mediums for malware, and the rate of ad-based malware tripled between January 2014 and February 2015. That’s one of the reasons people have started using ad blockers.
Back It Up
Even if you do everything right, your website may fall prey to malware -- and in such situations, it’s vital that you’ve a current backup you can revert to. Ideally, you want to back your site up multiple times a day, including creating backups every time a user changes a file or updates a page.
Obfuscate Your Admin Directories
We’ve covered the obvious stuff -- now let’s talk about something a little less obvious. How have you named the admin directories on your website? If they’ve got identifiers like "admin" or "login", then you may be putting your website at risk, since a lot of hackers use scripts that scan website directories for certain words or phrases.
At the end of the day, security isn’t about making your website completely impenetrable. That’s impossible. Instead, it’s about layering on enough protection that, when a hacker assesses it, they conclude that it’d be too much effort to crack, and give up on attacking you in favour of someone with weaker protections.
Maxim Emelianov, vice president at HostforWeb.
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.