Website security concerns everyone. In order to understand how to protect out digital assets, we must understand how hacking works. There are two common approaches to hacking, both generally rely upon exploiting poor practices and repetitive habits. Fortunately most hacking techniques can be thwarted by using common sense and best practices.
The first type of hacking, brute force, relies on repetition as well as trial and error to succeed. The most common brute force tactic is for a hacker will write a program to repeatedly guess your password and username until they find a combination that works. Brute force is more common, advanced and successful than most would realize.
A second method of hacking relies on deception. In one way or another a hacker disguises his identity or intention and then simply asks for your username and password. A simple example is to call technical support, and ask that a password be reset. The hacker will have the new password sent to their email rather than yours. Another approach is to use malware (a harmful program) to view your screen and or capture your keyboard inputs. This second method allows the hacker to gain access to your information in an often undetected way.
Although hacking is a constant threat, we need not live in fear.
Start by creating regular backups of your digital assets. Store copies of these backups in three separate locations. If a security breach occurs, having a recent and complete backup often speeds the process of restoring your asset. I use an extensive series of external drives to store backups. I encourage my clients to do the same.
Then set about to disrupt the regular patterns hackers use to their advantage. Keep all your software up to date. Updates generally include a mixture of new features, regular maintenance and security updates. Most people do not run updates for fear that something will break. You must get past this fear, and learn to keep all your digital assets up to date.
Most digital assets use a set formula for their schematics. This pattern of construction allows for rapid programatic deployment, but also means hackers know where to find things. Moving the location of a login page is a prime example. It is really hard to hack what you can not find.
Use encryption. There are multiple types of encryption, and these can be applied to websites. SSL certificates are a great way to secure websites through encryption.
Use firewalls and malware detection software. Just like you personal computer, the server where your website lives can be infected with malware. Although hosting companies monitor this kind of thing to an extent, it is truly your responsibility. Use a company such as Sitelock to help protect your server and website.
Despite all efforts, if passwords are not secure, a hacker will easily gain access to your digital assets. The most common failure in security is the human element. Educate all members of your organization about security and how they can help prevent a breach. Most importantly, always use password best practices.
Password best practices
- Use passwords that are complicated, long and unique (CLU)
- I use a password generator to create all my user names and passwords
- Never use the same password for more than one thing
- Never store password online (email, Google Drive etc). Always store passwords in a secure (password protected) place.
- I store all my usernames and passwords on a flash drive, using a password protected document
- Change all passwords every 90 days and every time a person leaves an organization
Site security checklist
- SSL certificate
- Padlock over HTTPS
- Contact info matches WhoIs
- Contact info matches Google Plus
- Google Plus integration
- Server protection software
- Server Signature off
- Block Libwww-perl access
- Remove WP generator
- Captcha on login
- Move login page
- Limit login attempts
- Change database prefix
- Hide wp-config.php and .htaccess
- Disable file editing
- Additional Firewalls
- Disable WP XML-RPC
- Disable WP Json (REST API)
The goal of website security is to reduce potential entry points and create layers of protection. If someone gain access to a portion of your site (the admin), there are ways to limit the damage caused.
Keeping everything up to date is key. Understanding where your code came from is massively important. Set up as many roadblocks as possible, using security redundancies. Always think outside the box because hackers exploit lazy or repetitive behavior.
Take charge and help protect your digital assets. Step one is to create a Google Webmaster Account.
I highly recommend everyone understand how hacking works. Learn more directly from Google.
A SSL certificate and padlock over HTTPS helps ensure everything is secure through encryption. Encrypting data is the first line of defense against hackers and other ne’er-do-wells.
Contact information matching WhoIs and Google Plus, as well as Google Plus integrations all help to verify who owns the website. The cross checking of data helps reduce fraudulent content.
Server protection software further ensures hackers can not infiltrate your website and perform malicious acts. Many hosting companies off this service, or you can purchase it from companies like SiteLock.
WordPress Specific security
WordPress is by far the most common content management system. As such, it is also the most attacked content management system. A few simple steps can greatly increase your website security.
For WordPress, I highly recommend All in one Security.
Out of the box WordPress includes a generator in the meta data. This generator data details the exact version of WordPress your site is using. If a hacker knows the version of WordPress you are using, they may be able to exploit vulnerabilities.
Limiting login attempts, adding a captcha to the login page, and moving the location of the login page all help prevent brute force attacks.
The standard database pre-fix for any WordPress site is wp_. Hackers use this to their advantage, writing scripts that look for a database called wp_users or wp_options etc. By changing the database prefix to anything other than wp_ you make it significantly harder for hackers to target your database tables, because they no longer know the exact location.
Wp-config.php and .htaccess are two powerful files used by WordPress. Hiding these files helps prevent hackers from gaining access to them. Similarly, be sure to check that your hosting configuration does not store a copy of either file. Depending on how the file is duplicated, it may become accessible to hackers, leaving your website in a very vulnerable place.
Disabling file editing removes the ability to change theme or plugin files from the dashboard. If a hacker has made his way into the WordPress dashboard, but not your server directly, the hacker will not be able to do as much damage.
Want to learn more? Check out my full checklist for website quality assurance and quality control.