10 Ways To Beef Up Your Website’s Security

Advertisement

However, I’d argue that the factor that plays the biggest role in the continuing success of hackers is a lack of awareness and vigilance on the part of software users and website owners.

Sorry to say, but it’s people who use “password” as their password for everything and those who have two-year old antivirus software that embolden hackers. If everyone was more committed to protecting their own data, then hackers would have a much harder time. As it is, so many people are blissfully unaware of their own vulnerability that, for hackers, it’s a numbers game – try enough websites and eventually they’ll find a vulnerable one to exploit. But that site doesn’t have to be yours!

Here are 10 effective ways to thwart the best efforts of hackers:

Website Security Tips

Keep Your Versions Updated

This is one of the simplest ways to stay a step or two ahead of the hackers. By downloading the newest versions and updates of Windows, WordPress, and your antivirus platform, you can make your applications or website just tough enough to crack. That way, hackers won’t bother with your site and instead move on to some other site whose owner hasn’t been as vigilant.

Password Generator1

Beef Up Your Passwords

Ok, it’s 2010. The web’s been around for some time now. Isn’t it time you changed your password from your spouse’s name, “123456” or the dreaded “password?” If this past year taught us nothing else, it’s that people are surprisingly lax when it comes to choosing passwords for even their most sensitive accounts.

Pick strong ones and and use different ones for your banking info and email, your cPanel, and your FTP accounts – otherwise, your info and your site are vulnerable.

Lock Down Your File Permissions

Do you know what your file and folder permissions are set at? Some applications require them to be set at the open “777” to install, and then most of us forget to set them back to either “755” for folders or “644” for files. Double check yours to make sure.

Mind Your Links

Do you really know what kind of site you’re linking to from your site? According to experts, so-called “open redirects” are a major cause for attacks that are perpetrated through browsers. We all know what happens when we click on a bad link; now imagine what the result will be when you put a bad link on your site. It’s always best to trust completely any site you link to.

Use FTPS For Transfers

With this handy tool, all your FTP transfers are done using SSL. In fact…

Use SSL To Send Emails

Use this especially if, somewhere in any of your millions of untrashed emails, you’ve ever sent sensitive info via email.

Password Generator2

Make Sure Your Web Host
Runs suPHP

Under normal PHP, scripts run as “nobody,” your script is open access. With suPHP, access is limited to the user or to those explicitly granted permission. Not all hosts use suPHP, so make sure your host does and set up another potential roadblock for hackers.

Speaking of Hosts

Not all hosts are the same when it comes to ensuring your website’s security. Not all offer round-the-clock active server monitoring, or even suPHP (see above), so choosing a host that takes your security seriously takes a little legwork.

Look Beyond Shared Hosting

If your website is your livelihood, then it might be the case that no amount of security talk and password strength can make you feel safe enough. If your site is critical to your operations, then you might want to consider VPS hosting so that you can have peace of mind.

A VPS is inherently more secure due to its separation from other sites, and you can create custom firewalls and install other security measures that most hosts won’t allow on shared accounts. Basically, a VPS allows you to take a more active role in your website’s security.

Be Savvy

Password Generator

If you know what you’re looking for, then you’re making a hacker’s job more difficult. Most hackers, if they come across a site that’s locked down tightly, would just as soon move on to another that offers easier access. You can make your site not worth the trouble by regularly scanning your logfiles for code that doesn’t belong, not installing suspicious WordPress plugins, and basically just being aware of what’s going on inside your site.

These 10 tips are just the basics, really – they’re a way to get everyone thinking about all the factors that go into running a secure site. If you make it a habit to keep your an eye on things and keep everything up to date, then you’re a much less attractive target to hackers than many other site owners out there.

For more info on the most common security lapses across the Web, check out the Top 25 Most Dangerous programming Errors (http://cwe.mitre.org/top25/3). It should serve as a real eye-opener.

Additional Security Resources

↑ Back to topShare on Twitter

Blue Derkin is a Project/Social Media Lead at InMotion Hosting, a leading web hosting company. He lives in Los Angeles and enjoys reading, writing, and staying away from arithmetic. You can find more of his writings at Web Hosting Help Guy.

  1. 1

    It’s always useful to be reminded about these aspects.
    I’ve been using LastPass for generating secure passwords, and I don’t have to remember them anymore, LastPass does it for me.

    -1
  2. 2

    Great article, its amazing the amount of people who still use the most generic of passwords.

    -1
  3. 3

    Great post, I could definitely learn a thing or two, as one of my older websites was hacked, and I’m now trying to take more precautions when launching a site today.

    -1
  4. 4

    helpful, being savvy is important.

    -1
  5. 5

    Thanks for a great article Blue, very informative. Hopefully people will read this and go and change their “password123456″ right now!

    -1
  6. 6

    Thanks for the good words, everyone! And thanks for the tip on LastPass, Paul!

    -1
  7. 7

    Basic defense skills should be taught at an early age, like children riding bikes. That way, the proper habits form so your a lot more air-tight but ever vigilant about hacker attacks.

    China has their cyber army ready. But are you ready to defend?

    By the way, why does it have to be “beef”? What about chicken or fish?

    -1
  8. 8

    Hello Author,

    I liked this article. Definitely helpful…

    But there are few things that i’d loved it you’d explained a bit more

    The heading “Use FTPS For Transfers”. You’ve just wrote it in a line and don’t get anything out of it…. seriously. Could you please explain why to use FTPs and the cons of not using FTPs.

    Thank you.

    -1
  9. 9

    What web host does Design Informer use?

    -1
  10. 10

    Useful website security Information… I will go for FTPs for file transfer.

    Thanks!

    -1
  11. 11

    really a helpful article for the newbies and the established webmasters as most of the times we lack this aspect and pay the price of it

    -1
  12. 12

    Great information!

    I’d like to add one other thing to the list, which I guess would make it 11 Ways to Vegetable Up Your Website’s Security. (I thought I’d bow to the vegetarians out there).

    One of the most common ways we’ve seen websites getting hacked is by stolen passwords. These passwords are stolen by a virus on a PC that’s used for FTP to the website.

    The password works in basically two ways.

    First, if the user is using a free FTP program, like say, FileZilla. Then the virus looks for the plain text file that FileZilla uses to store the login credentials so you don’t have to type them in each time. For instance, the latest version of FileZilla on a Windows XP box stores them in:

    C:Document and Settings(username)Application DataFileZillasitemanager.xml

    In that file the hacker has everything they need to login to a website. The virus sends this information to a server which downloads either the entire site or just selected files, infects them, then uploads back to the website. Quite often the server then monitors the site to see if their infection is still there.

    The second way the virus works is by “sniffing” the outgoing FTP traffic. Since FTP transmits all data, including username and password, in plain text, it’s easy for the virus to see and steal the login credentials that way as well. Which is why, I’m assuming, Blue suggested FTPS or you can also use SFTP. Both of those protocols encrypt their data as it’s transmitted so it’s more difficult to sniff. I have a YouTube video that shows this:

    http://www.youtube.com/watch?v=oYI1kssrrbc

    To prevent this virus from ever getting your password, you can use a program like WS_FTP from Ipswitch. I’m not from that company but I do like and use their product. It stores the password in an encrypted format on your PC so it’s more difficult to use.

    So, if you use FTPS or SFTP and switch your FTP software to something that encrypts the password, you’ll be a step or two ahead of the hackers.

    That’s my two cents.

    Again, great information. Keep up the good work Blue.

    -1
  13. 13

    First tips are obvious, but other are really worthy! Very nice compilation. Separate thanks for links!

    -1
  14. 14

    Agreed! This article do help a lot in dealing with web security.

    0
  15. 15

    Gonna try this.Safety first.Thanks.

    -1
  16. 16

    Thanks for sharing this post and the great tips. As usual DI did it again.

    -1
  17. 17

    Great article on a very sensitive issue, i’ll follow all your suggestions like a good boy ;) thanks for share

    -1
  18. 18

    Very use tips and great article. Lock Down Your File Permissions is the one most people forget thanks for bringing that up.

    -1
  19. 19

    i think blue is referring to SFTP or SSH File Transfer Protocol. SSH is secure shell which may or may not be familiar to you. if you have the option i’d block the FTP port altogether and go through SFTP… and if you’re just using SSH it helps to lock that down with a key specific to the systems you use. this can be cumbersome if you’re trying to get things done away from your personal terminal, but there’s plenty of smartphone apps for that.

    most FTP clients also support SFTP so try to click around your own and see if it does.

    -1
  20. 20

    Great article! Also think about installing a software firewall into your apps to recognise common attacks and keep it up to date.

    -1
  21. 21

    Hacker don’t attack. Crackers do. Hackers are people who learn and push technology forward, not people who do damages.

    This article is totally misleading your readers.

    -2
  22. 22

    Thanx for sharing 777 is really one can miss usually
    special thanx to Raef u save ma life i have almost 500 pw there just checked that………

    Bundle of thanx Raef again

    -1
  23. 23

    Great tips. I use Mitto (http://mitto.com) to generate and manage my passwords so that I can keep them each unique amd strong.

    -1
  24. 24

    thanks for helpful and very well written article, as your tips force me to look VPS for sites :)

    -1
  25. 25

    I cannot agree on VPS. They are a great target of hackers and I had a very bad experience @ (vpsland.com).

    -1
  26. 26

    “Make Sure Your Web Host Runs suPHP”
    This a little short… suPHP is only one way, there also other tools that can do this. Like: FastCGI (since PHP5.3.3 PHP-FPM is bundled) or mod_ruid2.

    VPS Something you should ONLY ‘consider’ if you have the knowledge, YOU must configure the whole operating system in the Virtual System, that includes installing software, updates, firewall, etc.. If you choose for an VPS only because its saver, search a better host.

    -1
  27. 27

    Another good step would to be use SSH keys. You could also change your SSH port. (This if your running a VPS)

    -1
  28. 28

    I don’t quite agree that vps is much more safer than shared hosting. The biggest problem with VPS is that you have to configure it and secure it which is hard and imposes a lot of risks. Second, many web hosting companies have chroot-ed environments which offer similar security to that of a virtual private server.

    -1
  29. 29

    I’ve heard of many instances where the base VPS install includes an older version of some software that isn’t even used, and that allows hackers in.

    For instance, if the standard VPS install includes an older version of phpmyadmin, and the user doesn’t use phpmyadmin so they never realize it’s installed, they don’t update it, so hackers scan for it, find it and exploit it. Now the VPS is hacked.

    -1
  30. 30

    Using VPS requires quite a bit of knowhow to make it safe and hack proof. We recently covered CloudFlare which is a very good solution for website security. Many people have found it an easy and affordable solution to website security issues.

    http://webscopia.com/2010/12/cloudflare_web_application_security/

    -1
  31. 31

    At shared hosting your hoster should at least use suphp, mod security, csf, secure and updated kernel.User should never use software that is not legal.

    -1
  32. 32

    Great tips. Hosts vary considerably in security practices. Never assume that the host has updated your application or even your OS. With many providers, I often find outdated install images.

    Also be wary of turn-key, one click installers. Many of these are very outdated. If you do use one of these, immediately update your software. I have seen many WordPress sites hacked because the client used a one-click tool to do the install.

    Also, you don’t have to be a target. Most of these exploits are done by random scanners. So be sure to update, update update.

    -1
  33. 33

    Excellent advice!

    Although, after hardening your website configurations, it is important to test it! Did I do a good job? Is there anything else that should be tight up or reconfigured?

    There are many website security scanners available on the market. Some are free, some not. Make sure to regularly scan/audit your website/blog for potential vulnerabilities.

    I’ve used this scanner before. They found some security problems on my blog and gave some easy to follow solutions to fix them : http://itsecurityadvice.net

    2
  34. 34

    Many website services are only automated scanners. To get a real assessment you have to use professionals. I say this because I work in the ITSEC field and know what I’m speaking about. Check easyaudit.org because they are the best, both as quality service and business model.

    0

↑ Back to top