Having a website has become easier than ever due to the proliferation of great tools and services in the web development space. Content management systems (CMS) like WordPress, Joomla!, Drupal, Magento, and others allow business owners to build an online presence rapidly. The CMS’s highly extensible architectures, rich plugins, and effective modules have reduced the need to spend years learning web development before starting to build a website.
The ease of launching an online business or personal website is great. However, there are some negative side effects. We see many webmasters who do not understand how to make sure their website is secure. There is a misunderstanding when it comes to the importance of securing their website, and whose responsibility it is.
Today, let’s see what are the top 10 steps all website owners should take to keep their website secure.
1 – Update, Update, Update!
This is something we cannot stress enough here at Sucuri. Countless websites are compromised every day due to outdated and insecure software.
It is incredibly important to update your site as soon as a new plugin or CMS version is available. Those updates might just contain security enhancements or patch a vulnerability.
Most website attacks are automated. Bots are constantly scanning every site they can for any exploitation opportunities. It is no longer good enough to update once a month or even once a week because bots are very likely to find a vulnerability before you patch it.
This is why we recommend using a website firewall, which will virtually patch the security hole as soon as updates are released.
If you have a WordPress website, I personally recommend the plugin ‘WP Updates Notifier‘. It emails you to let you know when a plugin or WordPress core update is available.
2 – Passwords
Having a secure website depends a lot on your security posture. Have you ever thought of how the passwords you use can threaten your website security?
In order to clean up infected websites, we often need to log into a clients’ site or server using their admin user details. It is shocking how insecure root passwords can be. With logins like admin/admin you might as well not have any password at all.
There are many lists of breached passwords online. Hackers will combine these with dictionary word lists to generate even larger lists of potential passwords. If the passwords you use are on one of those lists, it is just a matter of time before your site is compromised.
Our tips for you to have a strong password are:
- Do not reuse your passwords. Every single password you have should be unique. A password manager can make this easier.
- Have long passwords. Try longer than 12 characters. The longer the password is, the longer it will take a computer program to crack it.
- Use random passwords. Password-cracking programs can guess millions of passwords in minutes if they contain words found online or in dictionaries. If you have real words in your password, it isn’t random. If you can easily speak your password, it means that it is not strong enough. Even using character replacement (i.e. replacing letter O with number 0) is not enough.
These brilliant tools store all your passwords in an encrypted format and can easily generate random passwords at the click of a button. Password managers make it possible to use strong passwords by taking away the work of memorizing weaker ones or jotting them down.
3 – One Site = One Container
We understand that hosting many websites on a single server can seem ideal, especially if you have an ‘unlimited’ web hosting plan. Unfortunately, this is one of the worst security practices we commonly see. Hosting many sites in the same location creates a very large attack surface.
You need to be aware that cross-site-contamination is very common. It’s when a site is negatively affected by neighboring sites within the same server due to poor isolation on the server or account configuration.
For example, a server containing one site might have a single WordPress install with a theme and 10 plugins that can be potentially targeted by an attacker. If you host 5 sites on a single server now an attacker might have three WordPress installs, two Joomla installs, five themes and 50 plugins that can be potential targets. To make matters worse, once an attacker has found an exploit on one site, the infection can spread easily to other sites on the same server.
Not only can this result in all your sites being hacked at the same time, it also makes the cleanup process much more time consuming and difficult. The infected sites can continue to reinfect one another, causing an endless loop.
After the cleanup is successful, you now have a much larger task when it comes to resetting your passwords. Instead of just one site, you have a number of them. Every single password associated with every website on the server must be changed after the infection is gone. This includes all of your CMS databases and File Transfer Protocol (FTP) users for every single one of those websites. If you skip this step, the websites could all be reinfected again and you are back to square one.
4 – Sensible User Access
This rule only applies to sites that have multiple users or logins. It’s important that every user has the appropriate permission they require to do their job. If escalated permissions are needed momentarily, grant it. Then reduce it once the job is complete. This is a concept known as Least Privileged.
For example, if someone wants to write a guest blog post for you, make sure their account does not have full administrator privileges. Your friend’s account should only be able to create new posts and edit their own posts because there is no need for them to be able to change website settings.
Having carefully defined user roles and access rules will limit any mistakes that can be made. It also reduces the fallout of compromised accounts and can protect against the damage done by ‘rogue’ users. This is a frequently overlooked part of user management: accountability and monitoring. If multiple people share a single user account and an unwanted change is made by that user, how do you find out which person on your team was responsible?
Once you have separate accounts for every user, you can keep an eye on their behavior by reviewing logs and knowing their usual tendencies, like when and where they normally access the website. This way, if a user logs in at an odd hour, or from a suspicious location, you can investigate.
Keeping audit logs are vital to keeping on top of any suspicious change to your website. An audit log is a document that records the events in a website so you can spot anomalies and confirm with the person in charge that the account hasn’t been compromised.
We know that it may be hard for some users to perform audit logs manually. If you have a WordPress website, you can use our free Security Plugin that can be downloaded from the official WordPress repository.
5 – Change the Default CMS Settings!
Today’s CMS applications (although easy to use) can be tricky from a security perspective for the end users. By far the most common attacks against websites are entirely automated. Many of these attacks rely on users to have only default settings.
This means that you can avoid a large number of attacks simply by changing the default settings when installing your CMS of choice.
For example, some CMS applications are writeable by the user – allowing a user to install whatever extensions they want.
There are settings you may want to adjust to control comments, users, and the visibility of your user information. The file permissions, (which we will discuss later) are another example of a default setting that can be hardened.
You can either change these default details when installing your CMS or later, but don’t forget to do it.
6 – Extension Selection
The CMS applications extensibility is something webmasters usually love, but it can also pose one of the biggest weakness. There are plugins, add-ons, and extensions that provide virtually any functionality you can imagine. But how do you know which one is safe to install?
Here are the things I always look for when deciding which extensions to use:
- When the extension was last updated: If the last update was more than a year ago, I get concerned that the author has stopped work on it. I much prefer to use extensions that are actively being developed because it indicates that the author would at least be willing to implement a fix if security issues are discovered. Furthermore, if an extension is not supported by the author, then it may stop working if core updates cause conflicts.
- The age of the extension and the number of installs: An extension developed by an established author that has numerous installs is more trustworthy than one with a few number of installs released by a first-time developer. Not only do experienced developers have a better idea about best security practices, but they are also far less likely to damage their reputation by inserting malicious code into their extension.
- Legitimate and trusted sources: Download your plugins, extensions, and themes from legitimate sources. Watch out for free versions pirated and infected with malware. There are some extensions whose only objective is to infect as many websites as possible with malware.
7 – Backups
Having a hacked website is not something you would like to experience, but you don’t want to be caught off guard in case the worst happens.
Having website backups is crucial to recovering your website from a major security incident. Though it shouldn’t be considered a replacement for having a website security solution, a backup can help recover damaged files.
A good backup solution should fulfill the following requirements:
- First, they have to be off-site. If your backups are stored in your website’s server, they are as vulnerable to attacks as anything else in there. You should keep your backups off-site because you want your stored data to be protected from hackers and from hardware failure. Storing backups on your web server is also a major security risk. These backups invariably contain unpatched versions of your CMS and extensions, giving hackers easy access to your server.
- Second, your backups should be automatic. You do so many things every day that having to remember to backup your website might be unthinkable. Use a backup solution that can be scheduled to meet your website needs.
- To finish, have reliable recovery. This means having backups of your backups and testing them to make sure they actually work. You will want multiple backups for redundancy. By doing this, you can recover files from a point before the hack occurred.
8 – Server Configuration Files
Get to know your web server configuration files:
- Apache web servers use the .htaccess file,
- Nginx servers use nginx.conf,
- Microsoft IIS servers use web.config.
Most often found in the root web directory, server configuration files are very powerful. They allow you to execute server rules, including directives that improve your website security.
If you aren’t sure which web server you use, run your website through Sitecheck and click the Website Details tab.
Here are a few rules that I recommend you research and add for your particular web server:
- Prevent directory browsing: This prevents malicious users from viewing the contents of every directory on the website. Limiting the information available to attackers is always a useful security precaution.
- Prevent image hotlinking: While this isn’t strictly a security improvement, it does prevent other websites from displaying the images hosted on your web server. If people start hotlinking images from your server, the bandwidth allowance of your hosting plan might quickly get eaten up displaying images for someone else’s site.
- Protect sensitive files: You can set rules to protect certain files and folders. CMS configuration files are one of the most sensitive files stored on the web server as they contain the database login details in plain text. Other locations, like admin areas, can be locked down. You can also restrict PHP execution in directories that hold images or allow uploads.
9 – Install SSL
SSL is the acronym for Secure Sockets Layer. It is the standard security technology for establishing an encrypted link between a web server and a browser.
I was hesitant to include SSL as a tip to improve your website security because there is a lot of misleading information suggesting that installing SSL will solve all your security issues.
Let’s be clear: SSL does nothing to protect your site against malicious attacks and does not stop it from distributing malware.
We have written a blog post to explain the difference between SSL and website security.
SSL encrypts communications between Point A and Point B – aka the website server and visitor’s browser. This encryption is important for one specific reason. It prevents anyone from being able to intercept that traffic, known as a Man in the Middle (MITM) attack. SSL is a great way to protect passwords and credit card info (as well as other sensitive data) and initiatives like Let’s Encrypt have made it freely accessible.
With the push from Google to label HTTP website as “Not Secure”, SSL is crucial for all websites. Forcing HTTPS is unavoidable for e-commerce websites and for any website that accepts form submissions with sensitive user data or Personally Identifiable Information (PII).
The SSL certificate protects your visitors’ information in transit, which in turn protects you from the fines and legal issues that come along with being found noncompliant with PCI DSS.
If you are thinking about installing SSL on your site, you can follow our guide to learn more.
10 – File Permissions
File permissions define who can do what to a file.
Each file has 3 permissions available and each permission is represented by a number:
- ‘Read‘ (4): View the file contents.
- ‘Write‘ (2): Change the file contents.
- ‘Execute‘ (1): Run the program file or script.
If you want to allow multiple permissions, simply add the numbers together, e.g. to allow read (4) and write (2) you set the user permission to 6. If you want to allow a user to read (4), write (2) and execute (1) then you set the user permission to 7.
There are also 3 user types:
- Owner – Usually the creator of the file, but this can be changed. Only one user can be the owner.
- Group – Each file is assigned a group, and any user who is part of that group will get these permissions.
- Public – Everyone else.
So, if you want the owner to have read & write access, the group to have only-read access, and the public to have no access, the file permission settings should be:
When you view the file permissions this will be shown as 640.
Folders also have the same permissions structure. The only difference is that the ‘execute’ flag allows you to make the directory your working directory. You will usually want this on.
Most CMS installs have all the permissions correctly configured by default. So why did I just spend so much time explaining how permissions work? When searching for solutions to permissions errors, all over the web you will find misinformed people advising you to change file permissions to 666 or folder permissions to 777.
This advice will usually fix any permissions errors, but it is terrible advice from a security perspective.
If you set a file permission to 666 or folder permission to 777 you have just allowed *anyone* to insert malicious code or delete your files!
If you follow these relatively simple steps you will increase the security of your website. While these steps alone will not guarantee that your site is never hacked, following them will stop the vast majority of automated attacks, reducing your overall risk posture.
Being aware of these issues and understanding them will provide you with valuable insight into how the underlying technology works. It will also help to make you a better webmaster/site operator.
With the holidays coming up, it’s a great time to make sure your website is properly secured. Count on us to help!