4 Things That Will Make Your Website Unhackable
The issue of a safe and secure website had been a controversial topic and many experts believe there is truly nothing like a hack-proof website. To them, it is only a matter of time before the attackers get you. Well, that reflects one extreme. However, with a number of steps as we recommend here, you can keep your website safe from attackers. Prominent among these recomendations is to keep your website updated to prevent any form of vulnerability or hack. The other is to host your website with a web hosting company that takes security very seriously.
In this article, we take a look at four critical actions you need to take to protect your website from security hacks. So, here are the 4 security measures you need to take to make your website unhackable:
1. Use HTTPS Domains
2. Index Pages In All Folders
3. Routine Tests for Vulnerabilities
4. Don’t Underestimate the Value of Security
Now, let us look into these in greater detail.
1. Use HTTPS Domains
A secure socket layer(SSL) can make sure that the information traveling from your site goes directly to the person accessing it. These secured websites are often identified by the “HTTPS” and a green padlock in front of the domain name.
This denotes the site is secured through encryption and is next to impossible to intercept. In fact, you can set up a free SSL today using Let’s Encrypt. Besides, securing the site in this way boosts your SEO rankings as Google now laces some priority to secured websites over non-secured websites. Infact, Google marks websites not protected with SSL as unsecured.
Encrypting the information sent to your visitors eliminates the risk of compromised data transfers. This keeps information safe from snooping while reducing the risks of stealing login credentials.
In this environment, you’re helping yourself as well as those who visit your website.
Using the HTTPS solution for domains doesn’t mean that you are hack-proof. In fact, these focus more on encrypting data transfers from your pages to the visitor.
However, it does prevent others from spying on that data transmission and accessing the visitor’s login credentials. This information could be used to gain access to the site in order to find other exploits.
2. Index Pages In All Folders
Folders that do not have an index.html page will display contents such as other folders and file systems. This will show the average user exactly what is in your website’s structure.
If you’re trying to hide an admin folder or other piece of information, not having an index.html file can give hackers a way to identify access points.
This is an easy hole to plug for the most part. A blank index will prevent browsers from stumbling across a folder without a page. You will want to check all of your folders to make sure there is an index available.
If there isn’t one, you can create this using text editor software such as Notepad. Save a blank document as “index.html” and upload it to the folder in question. You can also use the filemanager in cPanel to create an index.html file.
Most attacks are performed on those who are easy targets. Unless you operate a high-risk or very public website, most hackers will quickly give up on something that shows any kind of a resistance.
Although this measure won’t absolutely stop those who are determined to access your site, it does act as a deterrent. It’s a bit like posting a sign in your lawn that says your home is being monitored.
Most criminals will move on because the risk is too great for an unknown reward.
3. Routine Tests for Vulnerabilities
The more popular your website becomes, the greater the need for security. By using a cyber-security organization or even security plugins if you use WordPress to test your site’s functionality, you can address exploits quickly.
Usually, these companies and plugins have extensive tools and capabilities that are used to test the limits of your website. When considering the alternatives, having security measures such as these can be enlightening for finding its week points.
An extremely useful procedure is that of penetration analytics. Essentially, you’ll hire a cyber security company or use high-end software with the sole purpose of hacking your own site.
Since you’re in control during this procedure, there is less of a threat when discovering the holes in security. The resulting reports will show you the weak spots in your site and how to seal them up.
Validate All Codes
Having security software routinely check your website can eliminate the threat of XSS attacks such as these. By making sure the coding is constantly legit, you can improve online privacy protection for your visitors.
Some Known Security Plugins
Sucuri’s web application firewall is probably one of the best protection you can get for your site. Sucuri monitors and protects your site from DDoS, malware threats, XSS attacks, brute force attacks, and basically every other type of attack. If you don’t have a firewall on your website, then add one today.
W3 Total Cache
Speed is one of the most important SEO factors. Faster websites rank higher in Google, this means more visitors for your business website and more conversions.
Jetpack is a great WordPress plugin offering powerful features including enhanced security, improved site performance, plenty of content tools, and visitor engagement featuresn. Additional features include spam-free Comments, Social Sharing, Related Posts, Post by Email, and much more. Jetpack even offers a mobile theme option that is lightweight and responsive, designed for phones and tablets
WordFence is one of the most popular WordPress security plugins. It keeps on checking your website for malware infection. If scans all the files of your WordPress core, theme and plugins. If it finds any kind of infection, it will notify you. It claims to make your WordPress website 50 times faster and secure. For making your website faster, it uses Falcom caching engine. This plugin is free, but a few advanced features are available for premium users. If you can afford it, do it.
This plugin blocks bruteforce attack and can add two factor authentication via SMS. You can also block traffic from a specific country. It also includes a firewall to block fake traffic, botnet and scanners. It also scans your hosting for known backdoors including C99, R57 and others. If it finds anything, you will instantly get email notification.
It also scans your posts and comments for malicious code. It also supports multi-site. You can also check the traffic on your WordPress website in real time and see if there is any security threat attacking your website.
BulletProof Security is another popular WordPress security plugin that takes care of various things. It adds firewall security, database security, login security and more. It comes with four-click setup interface. Just activate this plugin and then relax. It will take care of your website.
It limits failed login attempts and blocks security scanners, fake traffic, IP blocking and code scanners. It keeps on checking the code of WordPress core files, themes and plugins. In case of any known infection, it notifies admin. It also optimizes the performance of your website by adding caching. It comes with built-in file manager for htaccess. It protects WordPress websites against various vulnerabilities including XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection and many other. This plugin keeps itself updated with new vulnerabilities to keep your website protected. It keeps on updating it according to new exploits and vulnerabilities.
All In One WP Security & Firewall is another popular WordPress security plugin to check vulnerabilities in your WordPress website. This plugin is easy to use and reduces the security risks by adding recommended security practices
Joomla Security Extensions
R Antispam is to prevent spamming for forums (Kunena, NinjaBoard, and ccBoard). R Antispam use the Bayesian algorithm and works better with Akismet.
Once installed, you can go to System >> Global Configuration >> R-Antispam and configure the way you want.
Centrora Security has built-in malware and security scanner that helps you to identify any security risks, malicious codes, spam, virus, SQL injection and security vulnerabilities.
This package is modified from OSE Firewall Security. You can do following in FREE version.
Brute Force Stop helps you to prevent hacking from brute force attack. It stores details about failed login attempts so you can review it and take necessary action. You can configure notification about failed login and blocked IP addresses.
Incapsula for Joomla let you manage security & CDN from your Joomla admin. So if you are looking for performance with protection, then this would be your interest. Incapsula helps you in many ways including following:
- Instant virtual security patching
- Unique bot detection technology to reduce spam, fake registration
- Detect vulnerabilities
- Improve website performance by caching and optimization mechanism
- Advanced analytics
KeyCAPTCHA helps you to stop forms being spammed. It offers visitors to complete an easy interactive task.
Security Check web firewall helps in protecting against more than 90 attack types including SQLi, LFI, XSS, Session protection.
Akeeba Backup is one of the most popular extensions and has won the prestigious Administrator extension J.O.S.C.A.R. Award at J and Beyond 2010. It helps you with one click backup; exclude specific files/folders, restore, etc. Backup is essential for security.
How You Can Reduce Plugin Vulnerabilities
Vulnerable plugins are the top way that attackers gain access to WordPress sites. Reducing your plugin security risk is one of the most important aspects of protecting your site. There are a number of things you can do to limit this risk.
Use as Few Plugins as Possible
Every plugin you install on your website increases your “attack surface”. You are running more code, so your odds of having a security vulnerability exploited go up. Every plugin you add to your site also represents another developer you are relying on to keep you safe. That includes writing secure code, responding quickly to vulnerability reports and keeping your best interests in mind.
Only Download Plugins From Reputable Sites
If possible we recommend that you limit your plugin downloads to the official WordPress.org plugin directory. A great team of volunteers manages it, alongside a large community of users and security researchers helping out.
If you need to download a plugin from another site, you can use these tips to help determine whether the site is reputable:
- The site should pass the “eye test”: professionally designed and using clear language to describe the plugin.
- Look for a valid company name in the footer.
- You should be able to find a physical contact address on the contact page or in the terms of service.
- If you Google the domain name in quotes (e.g., “example.com”) you shouldn’t find any reports of malicious activity. Adding the words “malware,” “exploit” and “vulnerability” to your search may reveal additional information.
Choose Reputable Plugins
The WordPress.org plugin directory makes it really easy to evaluate plugins by providing a nice summary that gives you almost everything you need. Here’s what we suggest you pay attention to:
- The more recent the last update, the better.
- Check the number of active installs the plugin has. Some reliable and useful plugins have low install numbers, but you should still examine a plugin carefully if it has a low install base (below 1,000 active installs). It may not be maintained.
- It should be compatible with the current version of WordPress, though please note that immediately after a WordPress core release, a lot of reputable plugins will show a “Test up to:” value that is behind, as authors finish testing their plugin with the latest WordPress version.
- The average plugin rating should be high enough to instill confidence. The higher the rating, the better, obviously.
You should also periodically review your installed plugins to make sure they have maintained their good standing.
Delete Plugins Immediately When You Stop Using Them
We have written at length about the fact that the best way to secure data is to get rid of it. The same concept applies to WordPress plugins: removing plugins reduces your risk.
Keep Your Plugins Up to Date
Security vulnerabilities are constantly being discovered in WordPress plugins. In many cases, the details of the vulnerability will be made public, meaning that the entire world is given the information necessary to exploit the security vulnerability. In fact, the large majority of attacks we see on WordPress sites are attempts to exploit well-known security holes, some many years old. Instead of looking for new vulnerabilities, attackers look for site owners who don’t keep things up to date. Unfortunately, they continue to have success. You can stay ahead of the curve by simply keeping things up to date.
Many plugins like Wordfence include an auto-update feature. You should enable this in as many plugins as you can. For those for which you can’t, you should update to the latest version as soon as possible, especially if it includes a security fix.
Replace Abandoned and Removed Plugins
Have you ever started a project or hobby and gotten bored with it? That happens to WordPress plugin authors, too. In fact, it happens a lot. Back in May we wrote a post about abandoned plugins and found that, at the time, over 46% of plugins had not been updated in over 2 years.
Does that mean that they include a security vulnerability? Most likely not. What it does mean is that they represent a much higher risk than actively maintained plugins. We recommend that you not run plugins that haven’t been updated in over 2 years.
Another risk to keep an eye on is plugins that have been removed from the WordPress.org plugin directory. There are many reasons why the WordPress plugin team might remove a plugin, including having a security vulnerability that hasn’t been fixed. Since their policy is to not disclose why they removed a plugin, we recommend that you immediately remove plugins from your site that are removed from the WordPress.org directory.
This spring, we added a feature that alerts you when plugins have been abandoned or removed from WordPress.org.
Install a WordPress Firewall
Every now and then an attacker will discover a zero-day vulnerability in a WordPress plugin and start attacking sites. In these cases, if you are unlucky enough to be running the vulnerable plugin, having the latest version installed will not help protect your site. That’s where a web application firewall, or WAF, comes in. Web Application Firewalls examine the traffic hitting your site, filtering out malicious requests.
The Wordfence firewall includes a robust set of protections against the most common attacks on WordPress websites. These include SQL Injection, Cross Site Scripting, Malicious File Uploads, Directory Traversal and many more. In addition, when a new security vulnerability emerges, our security analysts quickly develop code to protect for that specific threat in the form of a “firewall rule.” These firewall rules are deployed in real time to Wordfence Premium customers via the Threat Defense Feed. Free sites receive them 30 days later.
4. Deny Access Through .htaccess
The .htaccess file can be used to help eliminate access to your login page from any IP address other than your own. Although there are ways to circumvent this measure, it’s still a very useful stopgap to prevent those looking for an easy target.
This kind of a method is ideal for websites that use WordPress or other content management system. You can edit the .htaccess file with Notepad or use your online editing system such as that provided by cPanel.
In the .htaccess file located in your admin folder, enter in the following:
order deny, allow
deny from all
allow from XXX.XXX.XXX.XXX
In place of the “X”s, use the IP address that is assigned to you by your Internet service provider. In the event you have others working on the site with you, simply add another “allow from” line under the first with their IP addresses as well.
The downside to this method is that you must keep it updated should your IP address change. Not everyone pays for a static IP, and many ISPs will change the number you use once every eight days or so.
One way to get around this problem is to only input the first two series of the IP address. For example, “123.456.” This will allow you to continue accessing those pages from that specific ISP.
What About DDoS and DoS Attacks?
Denial of Service attacks are extremely difficult to stop. The purpose of these assaults is to prevent others from accessing your website by bombarding it with fake traffic. Luckily, these kinds of attacks are not meant to hack your site or steal data.
However, it can be frustrating to be targeted as it could drive the productivity of the site to a standstill. Many security measures are already put into place by your web hosting provider.
Unfortunately, DDoS and DoS attacks are next to impossible to prevent simply because the nature of changing IP addresses from the attacker or attackers.
4. Don’t Underestimate the Value of Security
Although there is truly nothing that is 100 percent hack-proof, the methods mentioned here can greatly reduce the risk to your site. As long as you remain vigilant about protecting the data of visitors and staff, you can remain ahead of some of the most potent hacks out there.
Make sure you keep your proverbial doors and windows locked and secured on your digital real estate.