Website hacking is increasing in 2017 according to Google. Hacked websites are serious threats to both webmasters and visitors because hackers can deface your website, steal user data, credit card details from your website, use your server to serve illegal files or insert malware and harmful code to your website. As a webmaster, you have a legal obligation to protect user data from theft and to report security breaches that occur. It is always best to take a preventative approach and secure your site rather than dealing with the aftermath. The following are 8 tips on how to secure your website and protect it from hacking.
1. Use strong passwords and change them regularly
Thousands of brute force attacks are detected every day across the web. The attacks work mainly by guessing username/password combinations. Using strong passwords can effectively eliminate brute force and dictionary attacks. A strong password should be at least 12 characters long with a combination of upper and lower case alphabets, numerals and special characters. Do not use dictionary words. The longer the password, the stronger is the website security. Avoid using the same password for all website logins and change your passwords regularly to ensure breach-proof security. Always store users’ data in encrypted form.
2. Install an SSL certificate
SSL certificate is pretty much mandatory for any website handling personal information. It is a relatively cheap and simple way to boost your website security. By installing an SSL certificate for your website, all personal information will be encrypted when they transfer between your website and your visitors’ computers. Any hacker who attempts to eavesdrop on an encrypted connection will only see garbled text that will be of no use to them. It also helps build trust to your visitors and boost website SEO.
3. Update software regularly
Hackers can scan thousands of websites an hour looking for vulnerabilities that will allow them to break in. CMS providers like Joomla and WordPress stay on constant guard, continuously scouring for holes to plug in their systems and release regular patches and updates to ensure that their software is impervious to attacks. Make sure you run these updates and always have the most recent version supporting your site at all times. If your site uses third party plug-ins, do regular cleanups and wipe out all unused plug-ins as well in order to minimize the threat of being a gateway for hackers to exploit your website.
4. Hide admin pages
Hackers can access your site’s data by getting into the admin level of your website. They may look for names like, ‘admin’, ‘login’, or ‘access’ on your web server, then focus all their energy on accessing these files to compromise your website security. To hide the admin pages from hackers, you should use the robots_txt file to prevent hackers from finding them on search engine. Rename your admin folders to be something inconspicuous and communicate it only to your webmasters. Limit the number of login attempts within a certain time. Never send login details by email because email accounts can be hacked as well.
5. Limit file uploads
Allowing visitors to upload files to your website can post a massive security risk. Hackers could upload files that contain malicious code to compromise your website. If file uploads are inevitable, the best solution is to prevent direct access to all uploaded files. Store the files outside the root directory so that there is no direct way to access or execute the files. Use a script to fetch them from the database or private folder and then render them to your web pages when necessary.
6. Double validation of form data
The input of any forms should be checked on both browser and server-side. The two-level validation process would help block insertion of malicious scripts through data accepting form fields. Web browsers can pick up on simple mistakes such as missing out a mandatory field or entering words in a field where only numbers are required. Server-side validation can detect potentially malicious attacks such as where an attacker has attempted to enter code to exploit a vulnerability.
7. Protection against cross-site scripting (XSS) attacks
8. Back-up frequently
Keep everything backed up just in case the worst happens. Contact your web host provider to find out if it offers back-up solutions to webmasters. You can also install a backup plugin on your website. Some backup plugins allow you to schedule automatic backups, as well as send your files to cloud storage services like Dropbox. Save a copy of your files on your computer from time to time on top of other backup techniques just to be on the safe side.
We provide SSL certificate and backup services. Feel free to contact us by phone +852 3959 1888 or email firstname.lastname@example.org for details.