5 Tips to Keep Your Website Safe and Secure
Previously on Web Design Dev, we published a post on how to make your WordPress site hack-proof by using a WordPress plugin named WP Admin Block. But if you do not use WordPress, what other precautions should be taken to ensure that your site is kept safe?
Here are 5 of the most effective ways to keep your website secure.
Passwords and Error Messages
Complex passwords are vital for security. Everyone knows this, but many of us still use simple and vulnerable passwords. It is important to both use complex passwords for your server and admin areas, as well as insist that users logging into accounts on your site follow suit. You should enforce strong passwords requirements upon your users by requiring a minimum amount of characters, a mixture of upper and lower case letters, numerals and even punctuation. You can integrate a password generator or a password rater. Contrary to what you may believe, as this article here shows, passwords such as K1araJOhnsOn or momof2g8kid$ are not at all strong.
Within your site, passwords should always be stored encrypted, using a hashing algorithm such as SHA. This means that when you authenticating users, you are comparing encrypted values.
Additionally, ensure that your error messages are vague. If you have a login form on your site, when either the password or username is entered incorrectly, your error message should say just that, and nothing else. If an attacker is attempting to use brute force to gain access to the account, when you specify whether it is the password or username that is incorrect, they are then able to focus all their attention of this field. Therefore, “Incorrect username or password” is safer.
Do not dismiss updates
It may sound obvious, but keeping all the software you use up-to-date is one of the most effective ways to ensure that you website remains secure. This applies to the server operating system that you use as well as other software that is in operation on your website. Managed hosting solutions generally keep the software used updated themselves. If you are utilizing a third party such as a CMS (like we do on WebDesignDev) or forum software, you will be likely be notified when you need to update. When a company releases software, often they are not aware of every potential weakness. When they discover a vulnerability, they will offer an update to rectify it. Do not put this off. Known software vulnerabilities are easy for hackers to exploit.
SSL and EV SSL
SSL provides security when passing sensitive or valuable information between your website and your database. An EV SSL offers an even higher level of security; it grants your website the highest level of trust and authentication available today on the net. The EV SSL was designed to protect customers on e-commerce sites from phishing attacks. In terms of keeping your email inboxes clean, it is worth checking (if you are not already aware) what information of yours is available in the public domain. You can use a WHOIS Domain Lookup like this one offered by 1&1 to see whether information such as your admin email address, office address, registry domain ID and registrant name is available for anyone to see, or whether you web provider have placed their information here instead in order to shield yours.
Contrary to common assumption, most hosting providers do not back up your website; this is your responsibility. WordPress has plug-ins that allow sites to automatically send full back ups directly to a Dropbox or Gmail account. Services like Carbonite or Mozy can back-up your website and your database files every night. However you choose to back-up your site, ensure you do so at least once a month, and keep this backup in a separate location.
Even for those sites which are hosted by strong web providers, it is a good idea to connect to a specialist DDoS protection service. If you are running an NGO, eQualit.ie provides a free service called Deflect, which will take 99% of the traffic heading towards your site on to their own infrastructure, deploying various types of mitigation technology and botnet identification. Those who have larger budgets can look at services like Cloudfare, offer a similarly high level of protection.