You've built an amazing website for your business or blog, great. Now let's make it secure!
Security is very important! According to a 2012 Sophos Security Threat Report, on average 30,000 websites are hacked every day. That's a scary thought! Important & sensitive consumer information like credit card numbers, name and addresses, email addresses, social security numbers; must be protected. If not properly protected this data could be stolen. Also, cyber criminals have been know to plant malicious code on unsuspecting website owners, who become vectors of transmission to their consumers, business partners, friends and even family. Fear not! I'm going to explain how you can lock down your website and keep you and your customers safe.
Update Whenever Possible
Always keep your software up to date and make sure that all the latest patches have been applied. Whenever a new update becomes available, apply it. That is, after you do a back up of course.
Use Strong User Names and Passwords
Use strong user names and passwords, this is very important for admin accounts. Don't ever use "admin" for your user name or "password" for password. Tips for creating a secure password: 1.) Make it between 8-12 characters long. The longer it is, the harder it is to crack. 2.) Don't use names, user names, places, or dictionary words. 3.) Use variations of capitalization's, punctuation, numbers and spelling. You could also use a password generator like LastPass. Their link, should you want to do so, is listed below.
Set Appropriate File, Folder & Directory Permissions
Make sure to set appropriate file permissions. Now in Linux it works like so; On the Linux operating system, permissions are viewable as a three digit code where each digit is an integer between 0-7. The first digit represents permissions for the owner of the file, the second digit represents permissions for anyone assigned to the group that owns the file, and the third digit represents permissions for everyone else. The assignations work as follows:
4 = Read
2 = Write
1 = Execute
0 = no permissions for that user
You want to set files to “644”. 6 in the first position means the owner has the ability to read and write to these folders and directories. The 4 in the second and third position, means than anyone else only has the ability to read these files.
Now you need to set your folders and directories to be “777”, so that anyone can read, write and execute to those folders and directories. The way to do this varies by hosting provider. If you check with yours, then they should be able to help you do this.
Install security plugins. Word Press has a ton of really great security plugins out there. Some of the better ones automate things like changing folder permissions, admin user name and passwords, and renaming your database, etc.
Change Your Database's Prefix
Change the prefix to your database's name. The default one for a Word Press site is wp. So, if your site does get hacked, it wouldn't be hard for them to be able to extract data from your website's database.
Password Protect Your Database
Password protect your database! This is just another layer of defense you can add to your website that wont slow it down, but it should slow down hackers.
Delete the Installation Folder
Delete the installation folder. You don't need it anymore. If you don't do this, then someone could essentially re-run the installation file, empty your database and take complete control of your website. If you don't want to delete it, then at least rename it.
Use secured ftp access. Using SFTP access ensures that no one is able to sniff files you may be uploading or downloading to your web server.
Guard Root Access
Restrict access to root access. Be extremely cautious about who you give root access to, which is your site's directories and files. I would not recommend doing this, unless you are 100% sure that they aren't going to do anything malicious to your site and that they actually know what they are doing.
Make sure that you have .htaccess files. .htaccess files specify the security specifications for what ever directories they are in. Be sure not to delete them on accident.
Prevent Multiple Failed Login Attempts
Restrict login attempts to your admin panel or website. This will help prevent unauthorized people from accessing the back end of your website. By limiting how many times someone can attempt to enter the correct user name and password combination, you are ensuring the security of your site. You can even set how long they will be locked out from your site or even sometimes ban users that get a certain number of invalid login attempts within a certain time frame.
Backup, Backup, Backup Your Website!
Backup your website often. This is very important! If something does happen, your website goes down or is comprised and you don't have a back-up, then you could be in serious trouble!
Use Site Scans to Detect Malware
Some hosting providers offer versions of site scanning software that's geared toward detecting malware on your website. If you are using Google Webmasters tools it includes a security report, which if any malware is detected, it will tell you and will list the files for you. You can also find plugins and extensions that will do this automatically and notify you if anything is detected. Another option, is to use third party services like the ones listed below.
Use a CDN
As another option, you can use a CDN(content delivery network). These can help speed up your site and keep it more secure in several ways. CDNs act as a middle man, forcing traffic trying to reach your site, to go through them first. This helps filter out bad traffic like bots, spam and hackers. They deliver web pages over their content delivery servers, which are distributed world wide so they are closer to your end users. This speeds up your site. CDNs can also protect against large surges in traffic and some can help with DDOS attacks. They also deliver static content from your site. This can be a life saver if your site goes down as they can keep serving cached versions of your site. Some popular CDN's are cloudfare, maxcdn, and Amazon's cloudfront. You can check them out here.
Amazon Cloudfront: https://aws.amazon.com/cloudfront/
Install an SSL Certificate
This ensures that all of your website traffic is encrypted and thus prevents your data transmissions to and from your web server from being snooped or eavesdropped upon. Here are some of the most popular SSL Certificate providers.