Whatever kind of website you have, no matter if it’s an educational one, a fun one, or a business one, you should always think about protecting it from malicious users. In this article I’ll show you 5 easy to follow steps that can help you accomplish that:
1. Harden the server and Update it.
After the initial setup of your web server and its sites you need to make sure that everything that’s not necessary is disabled. FTP for example, as it could be a big security hole in your security. Whenever a new update is released, make sure you deploy it as fast as you can. But don’t forget to test it in a lab environment first. It’s never a good idea to apply new and untested patches to production servers directly. Don’t forget to update all of the components of your website, including the Operating system that hosts it, the platform of the website (WordPress, Joomla, Drupal, etc.), and any installed plugins.
2. Backup the data regularly.
You should think about disaster recovery planning of your whole IT infrastructure and of your web servers and web sites in particular. You should have a carefully documented and tested procedure in case of a natural disaster, failed component, or a hacker’s attack. Make sure you do full backups every now and then (at the end of each week for example) and incremential/differential backups every day or even twice a day if necessary.
3. Forget about insecure communication like FTP. Use SFTP (Secure FTP) instead.
FTP and some other protocols (Telnet and HTTP for example) have no security at all built into them. This means that all accounts, passwords, and even data, are being transmitted in clear text making it extremely easy for an intruder to sniff them through your network. That’s why you should avoid these protocols whenever possible. You can easily use SFTP and HTTPS for secure communications to your site.
4. Input data validation
The best advice for all of the code in your website is for it to strictly use input data validation whenever there is any kind of input. For example, if you have an input field for name, it shouldn’t allow users to enter digits or special characters, only letters. Furthermore, you can limit the field by size (no more than 150 characters for example). If you have an input field for a number, you can limit it to only letters and not allow even negative values for examples. If the value is something specific to your business, feel free to limit it even more. For example, if all of your products’ names start with a letter followed by four digits, you can make such a restriction to an input field to make sure that your users are searching only for your products. If the input field is year of birth then you may want to limit it to only living persons, no more than 100 years old for example.
5. Accounts management.
If an intruder has targeted your website, he or she would definitely try to bruteforce it by trying to log into an administrative account or to any account at all. To limit the probability of success there are a few steps you can make. First, you may want to limit the amount of times your users may enter wrong passwords before their accounts are suspended or even blocked. It’s usually done through a plugin to your website. The second thing you can do is to disable any known built in account and create new ones for your own. The three most commonly targeted usernames for bruteforce attacks are: administrator, admin, and backup. You can easily create different accounts with administrative privileges and use them instead. Let’s assume that the intruder has already found your administrative user’s name. The next step you can take is to make sure its password is strong enough. Here, it comes handy to use a password keeper and/or generator of some kind (KeePass is one example, but there are lots of more). These software solutions allow you to generate very long and complex passwords and to save them in a secure way. When you need the password to enter your website’s admin panel, you simply copy it from the password keeper.
When you’ve covered all of the above steps, you may think of monitoring your website’s availability. By doing so, you will know that in case of a problem you will be notified quickly enough to make corrective actions. Monitis and monitor.us can help you do the monitoring.