How to Prevent an Exploitation of Your Website by An Attacker
If you are new to website hosting or website designing, you could have had an issue with your website and you may have been surprised that despite security assurances from your web hosting company, your website got suspended due to an attack or exploitation without your knowing how it happened. You can also face issues like spamming, White Screen of Death (WSOD) which is the result of an attack which produces a blank white screen.
A WSOD is usually as a result with plugin or extension compatibility with your current CMS version. Regular updates to current CMS version including an update on all plugins and extensions is the solution to preventing this kind of attack. Plugin update in itself can sometimes create problems. You could also have experienced a hack leading to a complete defacement of your website. There are various forms of website attack but these are quite common especially with Content Management systems (CMS) like Joomla, WordPress, and Drupal.
Also read: 6 Ways to Protect Your Website From Security Hacks
Also read: How to Prevent Spam on Your Joomla Website
Another common problem with CMSs is load issues. This is also a area of exploitation. High load is common with content management systems and this is particularly associated with websites like WordPress that are managed by newbies.
It is important for you to know how to deal with these problems to be able to safely operate your website without any issues. It is good for you to know how to keep up with your website updates to avoid a site breakdown or suspension.
Today, we will discuss simple steps you need to take to ensure that you get to know what is happening to your website and take appropriate action.
Also read: How to Find and Clean Backdoors in a Hacked WordPress Site
1. Your Web Hosting Should be Linked to Your Favorable and Frequently Monitored Email
Your web host will always communicate with you whenever there is an issue. You must therefore always keep an eye on your emails for any update from your web hosting provider. Remember that your registered email must be different from an email created on the website you are hosting.
The security of your email is as important as that of your website. This is because every website is always linked to an email address. This is one key area that has been neglected but it's as important as the other items. However, it should also be mentioned that most website hacks have not been linked to weak email passwords. I will still recommend you take your email security important to be protected all round from those who will go all out.
Here are tips that will protect your email from intruders:
· Obtain comprehensive security software. Be sure that the security software you select is like McAfee Internet Security and protects you and your PC from viruses, worms, Trojans, unwanted e-mail (spam), phishing scams, and other malicious software. It should also have a firewall like McAfee's products, which can monitor your Internet connection and stop unwanted traffic to and from your PC. Be sure to keep your security software up-to-date. Ideally, you want it to be like McAfee's Internet Security Suite that has automatic updates and upgrades.
· Share your e-mail address with only trusted sources. Only your family, friends, and trusted business contacts should have your personal e-mail address. Do not post your e-mail address on Web sites, forums, or in chat rooms. If you post your e-mail address, you are vulnerable to receiving spam or having your e-mail passed on to others. If you would like to subscribe to a newsletter or Web site and receive confirmation e-mail for online transactions, consider using a generic e-mail address that is not linked to any of your personal information
· Be careful when opening attachments and downloading files from friends and family or accepting unknown e-mails. You can obtain a virus, worm, or Trojan simply by opening e-mail and attachments, and by accepting files from your friends, family, or others. If you choose to download files, make sure your security software is enabled and pay close attention to any warnings provided.
· Be smart when using Instant Messaging (IM) programs. If you use an IM program to communicate with friends and family, be careful when sending any personal information. Protect yourself by using a nickname for your IM screen name. Never accept strangers into your IM groups. Be smart about how you use your personal IM at work because your employer may monitor and view your personal messages.
· Watch out for phishing scams. Phishing scams use fraudulent e-mails and fake Web sites, masquerading as legitimate businesses, to lure unsuspecting users into revealing private account or login information. To be safe, if you receive an e-mail from a business that includes a link to a Web site, make certain that the Web site you visit is legitimate. Instead of clicking through to the Web site from within the e-mail, open a separate Web browser and visit the business Website directly to perform the necessary actions. You can also verify that an e-mail is in fact from a legitimate business by calling the business or agency directly.
· Use e-mail wisely. E-mail is a great way to keep in touch with friends and family, and as a tool to conduct business. Even if you have good security software on your PC, your friends and family might not have the same protection. Be careful about what information you submit via e-mail. Never send your credit-card information, Social Security number, or other private information via e-mail.
· Do not reply to spam e-mail. If you don't recognize the sender, don't respond. Even replying to spam mail to unsubscribe could set you up for more spam.
· Create a complex e-mail address. With a complex e-mail address, it makes it more difficult for hackers to auto-generate your e-mail, send spam e-mail, or target your e-mail for other types of attacks. Make sure you come up with an e-mail address that you can easily remember. Try to use letters, numbers, and other characters in a unique combination. Substitute numbers for letters when you can. A sample complex e-mail is: Tracy3Socc3r2@samplee-mail.com.
· Create smart and strong passwords. Make it difficult for hackers to crack your password. You can create a smart password by incorporating capital letters, numbers, special characters and using more than six characters. An example of a strong password is: KK+Go1dM!n3.
· Never enter your personal information into a pop-up screen. Sometimes a phisher will direct you to a real organization's Web site, but then an unauthorized pop-up screen created by the scammer will appear, with blanks in which to provide your personal information. If you fill it in, your information will go to the phisher. Install pop-up blocking software to help prevent this type of phishing attack.
2. Encrypt emails and valuable information. I
f a hacker does breach your system, encryption makes it that much harder to get away with critical data. Voltage, DataMotion, and Proofpoint are industry leaders worth checking out.
Read also: Recommended Security Checks For Your Joomla Website
3. Keep Your CMS Versions and Plugins Updated
This has been repeated in several posts. It is important to keep your plugins updated if you are running a content management system. As a general rule, ensure you are running the latest version of your software. Remember to always check for updates within the backend of your website and fix any update issues before they become a problem.
Read also: The Safe Path to Install and Un-install Joomla Extensions
4. Avoid Un-updated Plugins
One of the issues with websites like WordPress and Joomla is the use of plugins that are not updated along with the released versions of these CMSs. Because most of the content management systems undergo regular updates, it is important that whatever plugin you use should also be updated. When a plugin is not frequently updated in tune with CMS updates, these can cause a security problem.
Read also: WordPress Performance: How to Find a Slow Plugin
5. Ensure that you enable the cache system on your content management system.
You may want to learn more about how the cache system works. The cache system will essentially speed up your website. It basically saves a copy of your web page so that when a visitor clicks a page, it saves the saved page which loads like a static page. That way, your website loads very fast.
If you carefully follow these guidelines and make them habitual, you will be able to cope with security challenges occasioned by your software changes.
6. Restrict Access to Secured Folders with the htaccess file.
It is important to protect your files, folders and certain parts of your website by limiting access to them. This can be done using the allow, deny rule in your htaccess file.
You may want to learn ore about how to use the htaccess file to secure your website
With the allow, deny rule set, you deny access to the folders that contain plugins and components and also can stop attackers fro saving backdoors in your files and folders especially your template folders which is the most common location known to be used by attackers to save backdoors.
7. Change Your Default Admin Username.
If you run on a Content Management System (CMS), your default admin username will likely be "admin". You will need to change this to a customized name. That way, it becomes more difficult for bots and humans to guess your login credentials correctly as they may never be able to rightly guess your username in the first place even though password guesses could be correct.
8. Use Secure Password Rules to Create Passwords
You should never ignore strong password rules for all your accounts. First, do not use the same password for your cPanel login and for your admin login. Ensure that every account use different passwords. This is a safety precaution.
Also ensure that in creating passwords, it should be at least 10 characters, contains both upper and lower case characters, contains special characters like ^(@_. Remember that it must be strong because even if you forget your password, there is always a way to reset your passwords. So, never compromise the strength of your password.
As a rule, do keep to the following:
Avoid using dictionary words These passwords are easy for hackers to figure out using an electronic dictionary.
Don't use personal information. Any part of your name, birthday, Social Security number, or similar information for your loved ones is a bad password choice.
Avoid common sequences, such as numbers or letters in sequential order or repetitive numbers or letters.
If the web site supports it, try to use special characters, such as $, #, and &. Most passwords are case sensitive, so use a mixture of upper case and lower case letters, as well as numbers.
Passwords become harder to crack with each character that you add, so longer passwords are better than shorter ones. A brute-force attack can easily defeat a password with seven or fewer characters.
To help you easily remember your password, consider using the first letter from each word in a sentence, a phrase, a poem, or a song title as a password. Be sure to add in numbers and/or special characters.
Create different passwords for different accounts and applications. That way, if one password is breached, your other accounts won't be put at risk too. Do not use the same or variations of the same password for different applications.
Despite admonitions to the contrary, one easy way to remember your passwords is to write them down and keep them in a securely locked place. Never leave them on a Post-It note on your monitor, in an address book, in a desk drawer, or under your keyboard or mouse pad (or any other obvious place).
Consider using a secure password manager. The Firefox browser has a password manager already built in The Firefox password manager and 4 others are reviewed.
If you have already established a password that is not strong, change it! Web sites have a variety of procedures that govern how you can change your password. Look for a link (such as my account) somewhere on the site's homepage that goes to an area of the site that allows password and account management.
Read also: How A Plugin Installation Can Crash Your Wordpress Website
9. Back up your data
Copying your key company data onto a cloud-based system, such as Dropbox or OneDrive, or a USB hard drive takes minutes, and will save you time and anxiety if your system is ever compromised.You can backup your entire website online. cPanel hosting environment and other hosting applications have one-click backup tools which are very handy. You can use the back up tool to maintain a healthy backup just to protect you from very serious disaster.
10. Maintain updates
We continue to re-emphasize this because it is critical to the security of your website. This is an aspect that had been neglected by many. It is important that you check for updates daily on your most critical websites to be able to take action as quickly as possible once there be need for an update. Always ensure that your keep your website up-to-date especially if you run a content management system. Keeping your system updated with the most recent software updates will help you overcome exploitation associated with discovered vulnerabilities.