Best Practices to Keep Your Website Safe From Attackers
Website security is crucial for everyone. One thing that no website owner want to grapple with is a hack, an exploitation or some security compromise. The issue of a safe and secure website had been a controversial topic and many experts believe there is truly nothing like a hack-proof website. To them, it is only a matter of time before the attackers get you. Well, that reflects one extreme. However, with a number of steps as we recommend here, you can keep your website safe from attackers. Prominent among these recomendations is to keep your website updated to prevent any form of vulnerability or hack.
Related reading on website security:
In this article, we take a look at four critical actions you need to take to protect your website from security hacks. So, here are the 4 security measures you need to take to make your website unhackable:
1. Keep Your Software up-to-date
2. Use HTTPS Domains
3. Conduct Routine Tests for Vulnerabilities
4. Use Security Plugins
Now, let us look into these in greater detail.
1. Keep Your Software Updated
Software updates are important to your digital safety and cyber security. The sooner you update, the sooner you’ll feel confident your device is more secure. Why are software updates so important? There are a lot of reasons. Here are 5 that show why it’s important to update software regularly.
1. Software Updates help patch security flaws
Hackers love security flaws, also known as software vulnerabilities. A software vulnerability is a security hole or weakness found in a software program or operating system. Hackers can take advantage of the weakness by writing code to target the vulnerability. The code is packaged into malware — short for malicious software.
An exploit sometimes can infect your computer with no action on your part other than viewing a rogue website, opening a compromised message, or playing infected media.
What happens next? The malware can steal data saved on your device or allow the attacker to gain control over your computer and encrypt your files.
Software updates often include software patches. They cover the security holes to keep hackers out.
2. Software updates help protect your data
You probably keep a lot of documents and personal information on your devices. Your personally identifiable information — from emails to bank account information — is valuable to cybercriminals.
They can use it to commit crimes in your name or sell it on the dark web to enable others to commit crimes. If it’s a ransomware attack, they might encrypt your data. You might have to pay a ransom for an encryption key to get it back. Or, worse, you might pay a ransom and not get it back.
Updating your software and operating systems helps keep hackers out.
2. Use HTTPS Domains
A secure socket layer(SSL) can make sure that the information traveling from your site goes directly to the person accessing it. These secured websites are often identified by the “HTTPS” and a green padlock in front of the domain name.
This denotes the site is secured through encryption and is next to impossible to intercept. In fact, you can set up a free SSL today using Let’s Encrypt. Besides, securing the site in this way boosts your SEO rankings as Google now laces some priority to secured websites over non-secured websites. Infact, Google marks websites not protected with SSL as unsecured.
Encrypting the information sent to your visitors eliminates the risk of compromised data transfers. This keeps information safe from snooping while reducing the risks of stealing login credentials.
In this environment, you’re helping yourself as well as those who visit your website.
Using the HTTPS solution for domains doesn’t mean that you are hack-proof. In fact, these focus more on encrypting data transfers from your pages to the visitor.
However, it does prevent others from spying on that data transmission and accessing the visitor’s login credentials. This information could be used to gain access to the site in order to find other exploits.
3. Conduct Routine Tests for Vulnerabilities
The more popular your website becomes, the greater the need for security. By using a cyber-security organization or even security plugins if you use WordPress to test your site’s functionality, you can address exploits quickly.
Usually, these companies and plugins have extensive tools and capabilities that are used to test the limits of your website. When considering the alternatives, having security measures such as these can be enlightening for finding its week points.
An extremely useful procedure is that of penetration analytics. Essentially, you’ll hire a cyber security company or use high-end software with the sole purpose of hacking your own site.
Since you’re in control during this procedure, there is less of a threat when discovering the holes in security. The resulting reports will show you the weak spots in your site and how to seal them up.
Validate All Codes
Having security software routinely check your website can eliminate the threat of XSS attacks such as these. By making sure the coding is constantly legit, you can improve online privacy protection for your visitors.
4. Use Security Plugins
Here are some known security plugins for the popular website platforms:
Sucuri’s web application firewall is probably one of the best protection you can get for your site. Sucuri monitors and protects your site from DDoS, malware threats, XSS attacks, brute force attacks, and basically every other type of attack. If you don’t have a firewall on your website, then add one today.
W3 Total Cache
Speed is one of the most important SEO factors. Faster websites rank higher in Google, this means more visitors for your business website and more conversions.
Jetpack is a great WordPress plugin offering powerful features including enhanced security, improved site performance, plenty of content tools, and visitor engagement featuresn. Additional features include spam-free Comments, Social Sharing, Related Posts, Post by Email, and much more. Jetpack even offers a mobile theme option that is lightweight and responsive, designed for phones and tablets
WordFence is one of the most popular WordPress security plugins. It keeps on checking your website for malware infection. If scans all the files of your WordPress core, theme and plugins. If it finds any kind of infection, it will notify you. It claims to make your WordPress website 50 times faster and secure. For making your website faster, it uses Falcom caching engine. This plugin is free, but a few advanced features are available for premium users. If you can afford it, do it.
This plugin blocks bruteforce attack and can add two factor authentication via SMS. You can also block traffic from a specific country. It also includes a firewall to block fake traffic, botnet and scanners. It also scans your hosting for known backdoors including C99, R57 and others. If it finds anything, you will instantly get email notification.
It also scans your posts and comments for malicious code. It also supports multi-site. You can also check the traffic on your WordPress website in real time and see if there is any security threat attacking your website.
BulletProof Security is another popular WordPress security plugin that takes care of various things. It adds firewall security, database security, login security and more. It comes with four-click setup interface. Just activate this plugin and then relax. It will take care of your website.
It limits failed login attempts and blocks security scanners, fake traffic, IP blocking and code scanners. It keeps on checking the code of WordPress core files, themes and plugins. In case of any known infection, it notifies admin. It also optimizes the performance of your website by adding caching. It comes with built-in file manager for htaccess. It protects WordPress websites against various vulnerabilities including XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection and many other. This plugin keeps itself updated with new vulnerabilities to keep your website protected. It keeps on updating it according to new exploits and vulnerabilities.
All In One WP Security & Firewall is another popular WordPress security plugin to check vulnerabilities in your WordPress website. This plugin is easy to use and reduces the security risks by adding recommended security practices
Joomla Security Extensions
R Antispam is to prevent spamming for forums (Kunena, NinjaBoard, and ccBoard). R Antispam use the Bayesian algorithm and works better with Akismet.
Once installed, you can go to System >> Global Configuration >> R-Antispam and configure the way you want.
Centrora Security has built-in malware and security scanner that helps you to identify any security risks, malicious codes, spam, virus, SQL injection and security vulnerabilities.
This package is modified from OSE Firewall Security. You can do following in FREE version.
Brute Force Stop helps you to prevent hacking from brute force attack. It stores details about failed login attempts so you can review it and take necessary action. You can configure notification about failed login and blocked IP addresses.
Incapsula for Joomla let you manage security & CDN from your Joomla admin. So if you are looking for performance with protection, then this would be your interest. Incapsula helps you in many ways including following:
- Instant virtual security patching
- Unique bot detection technology to reduce spam, fake registration
- Detect vulnerabilities
- Improve website performance by caching and optimization mechanism
- Advanced analytics
KeyCAPTCHA helps you to stop forms being spammed. It offers visitors to complete an easy interactive task.
Security Check web firewall helps in protecting against more than 90 attack types including SQLi, LFI, XSS, Session protection.
Akeeba Backup is one of the most popular extensions and has won the prestigious Administrator extension J.O.S.C.A.R. Award at J and Beyond 2010. It helps you with one click backup; exclude specific files/folders, restore, etc. Backup is essential for security.
How You Can Reduce Plugin Vulnerabilities
Vulnerable plugins are the top way that attackers gain access to WordPress sites. Reducing your plugin security risk is one of the most important aspects of protecting your site. There are a number of things you can do to limit this risk.
Use as Few Plugins as Possible
Every plugin you install on your website increases your “attack surface”. You are running more code, so your odds of having a security vulnerability exploited go up. Every plugin you add to your site also represents another developer you are relying on to keep you safe. That includes writing secure code, responding quickly to vulnerability reports and keeping your best interests in mind.
Only Download Plugins From Reputable Sites
If possible we recommend that you limit your plugin downloads to the official WordPress.org plugin directory. A great team of volunteers manages it, alongside a large community of users and security researchers helping out.
If you need to download a plugin from another site, you can use these tips to help determine whether the site is reputable:
- The site should pass the “eye test”: professionally designed and using clear language to describe the plugin.
- Look for a valid company name in the footer.
- You should be able to find a physical contact address on the contact page or in the terms of service.
- If you Google the domain name in quotes (e.g., “example.com”) you shouldn’t find any reports of malicious activity. Adding the words “malware,” “exploit” and “vulnerability” to your search may reveal additional information.
Choose Reputable Plugins
The WordPress.org plugin directory makes it really easy to evaluate plugins by providing a nice summary that gives you almost everything you need. Here’s what we suggest you pay attention to:
- The more recent the last update, the better.
- Check the number of active installs the plugin has. Some reliable and useful plugins have low install numbers, but you should still examine a plugin carefully if it has a low install base (below 1,000 active installs). It may not be maintained.
- It should be compatible with the current version of WordPress, though please note that immediately after a WordPress core release, a lot of reputable plugins will show a “Test up to:” value that is behind, as authors finish testing their plugin with the latest WordPress version.
- The average plugin rating should be high enough to instill confidence. The higher the rating, the better, obviously.
You should also periodically review your installed plugins to make sure they have maintained their good standing.
Delete Plugins Immediately When You Stop Using Them
We have written at length about the fact that the best way to secure data is to get rid of it. The same concept applies to WordPress plugins: removing plugins reduces your risk.
Keep Your Plugins Up to Date
Security vulnerabilities are constantly being discovered in WordPress plugins. In many cases, the details of the vulnerability will be made public, meaning that the entire world is given the information necessary to exploit the security vulnerability. In fact, the large majority of attacks we see on WordPress sites are attempts to exploit well-known security holes, some many years old. Instead of looking for new vulnerabilities, attackers look for site owners who don’t keep things up to date. Unfortunately, they continue to have success. You can stay ahead of the curve by simply keeping things up to date.
Many plugins like Wordfence include an auto-update feature. You should enable this in as many plugins as you can. For those for which you can’t, you should update to the latest version as soon as possible, especially if it includes a security fix.
Replace Abandoned and Removed Plugins
Have you ever started a project or hobby and gotten bored with it? That happens to WordPress plugin authors, too. In fact, it happens a lot. Back in May we wrote a post about abandoned plugins and found that, at the time, over 46% of plugins had not been updated in over 2 years.
Does that mean that they include a security vulnerability? Most likely not. What it does mean is that they represent a much higher risk than actively maintained plugins. We recommend that you not run plugins that haven’t been updated in over 2 years.
Another risk to keep an eye on is plugins that have been removed from the WordPress.org plugin directory. There are many reasons why the WordPress plugin team might remove a plugin, including having a security vulnerability that hasn’t been fixed. Since their policy is to not disclose why they removed a plugin, we recommend that you immediately remove plugins from your site that are removed from the WordPress.org directory.
This spring, we added a feature that alerts you when plugins have been abandoned or removed from WordPress.org.
Install a WordPress Firewall
Every now and then an attacker will discover a zero-day vulnerability in a WordPress plugin and start attacking sites. In these cases, if you are unlucky enough to be running the vulnerable plugin, having the latest version installed will not help protect your site. That’s where a web application firewall, or WAF, comes in. Web Application Firewalls examine the traffic hitting your site, filtering out malicious requests.
The Wordfence firewall includes a robust set of protections against the most common attacks on WordPress websites. These include SQL Injection, Cross Site Scripting, Malicious File Uploads, Directory Traversal and many more. In addition, when a new security vulnerability emerges, our security analysts quickly develop code to protect for that specific threat in the form of a “firewall rule.” These firewall rules are deployed in real time to Wordfence Premium customers via the Threat Defense Feed. Free sites receive them 30 days later.
4. Deny Access Through .htaccess
The .htaccess file can be used to help eliminate access to your login page from any IP address other than your own. Although there are ways to circumvent this measure, it’s still a very useful stopgap to prevent those looking for an easy target.
This kind of a method is ideal for websites that use WordPress or other content management system. You can edit the .htaccess file with Notepad or use your online editing system such as that provided by cPanel.
In the .htaccess file located in your admin folder, enter in the following:
order deny, allow
deny from all
allow from XXX.XXX.XXX.XXX
In place of the “X”s, use the IP address that is assigned to you by your Internet service provider. In the event you have others working on the site with you, simply add another “allow from” line under the first with their IP addresses as well.
The downside to this method is that you must keep it updated should your IP address change. Not everyone pays for a static IP, and many ISPs will change the number you use once every eight days or so.
One way to get around this problem is to only input the first two series of the IP address. For example, “123.456.” This will allow you to continue accessing those pages from that specific ISP.