Website Tips


Friday, 14 July 2017 22:19

Making sure your website is secure

Written by 
Rate this item
(0 votes)
Website Top Security Website Top Security

Having your website hacked can be a costly problem to repair and it will have negative effects on traffic.

People may not return to your site if they feel it's not a safe place to visit.

No matter the type of website you are running, keeping it secure is a must.

 

Popular CMS / blogs like WordPress or Joomla or Ecommerce such as PrestaShop and Magento all at times have security problems.

Once a security problem is discovered hackers will comb the net with their bots looking for the newly discovered problem.

When they find it, they will hack that website and either deface it, install a virus on it or make use of the email service for either spam or the purpose of spreading a virus.
The number of hackers over the past ten years has grown substantially.

Every server on the internet gets hit by hackers every day and the number of hackers per server is growing.

There are an estimated 75 million servers powering the internet and yet the hackers manage to hit every one of them every day.

These servers are not the only target which hackers go after as they also target personal PC's.

To avoid the major problem of being hacked you need be well informed on security problems.

Following these steps will cover the common problems that lead to the disaster of a hacked website.

 

First is to be sure everyone that has login access to your website is trusted.

Access should only be given to a small number of employees as the fewer there are the less chance of a mishap.

Each employee must have Anti-Virus on their PC which has subscriptions renewed every year without fail.

One of the methods hacker use to gain control of a website is by depositing spyware on a users PC.

That spyware looks for FTP passwords and if found will quickly take control of the website.

A user can be infected by this type of spyware by either email or by visiting an infected website.

         

Anti Virus programs such as Kaspersky or McAfee do an adequate job of blocking email infections.

To block websites, you will need to adjust your router to use a DNS service that blocks known bad websites.

Comodo, Norton ConnectSafe or Dyn have such features and are free to use.

In addition, quality routers allow you to block websites that you find could be a problem.
Change the settings in your router to use one of DNS services.

X rated websites are one of the number one causes of PC infections.
If you find a user viewing a site that is X Rated and gets past the blocking features of both the DNS service and the router then block it right away.

Have your ISP provide you with a dedicated IP is a must.
Most business accounts from popular ISP's come with a dedicated IP.
If your ISP does not provide it as part of the business package then order it as it will help with security in many ways.
 

comodo   Norton  DNY

Passwords to the website should be changed monthly or sooner and should be somewhat complex so a hacker can't guess it.

Also, they should be changed right away if you had to allow a software vendor or web technician to access the website to repair or upgrade the site.

Should you have to let go of any employee that has access or is suspect to have access you must change all passwords immediately.

A disgruntled employee is something to worry about and to be sure changing the passwords throughout your system is a good idea.

Do not send passwords over a message system such as Skype or your cell phone.

Do not email them over a non-secure email system.

If available for the website software you are using, add a Brute Force plugin / module.

This prevents a hacker from trying thousands of passwords to break into your site.
If the same person, identified by their IP address, fails more than x number of times on a login attempt they are locked out.

Do a search for brute force plugin or brute force module to see if there is one available for your software.

When setting up Brute Force enter your dedicated IP to the ignore list so you don't lock yourself out.
Also set it for three or four times as the limit of failed login attempts.

Install an SSL on your website so that when your login to the admin section you do so by a secure connection.  Make sure that when you navigate to the Admin login that the website automatically switches to the secure URL. This would be https:// verses http://
There are low cost SSL’s that are adequate for secure login which can be purchased for under $30.00
Unless you are also doing credit card sales through your website a higher priced SSL would be required.
The Comodo instant SSL which can be found for about $90 is good for money transactions.

Testing your SSL should be done after installing it and this can be done using this website testing tool -->   qualys ssl labs

Make sure your website does not allow users to view folders such as /images or /includes and any others that have no files you wish them to see.

This can be done in Linux by setting indexes in your .htaccess file as follows:   Options -Indexes

For Windows, which does not support that method, you need to disable directory browsing in the IIS Manager.

This will prevent users to view your files where you do not have an index file.
Another very simple way to do this is place a blank index file in the folder.
In notepad create a file named index.html and save it.
Copy that file to every folder where you do want visitors to view the files.
When a user go to that folder using this simple method they will see a blank page.

Software security problems take place every so often as software vendors try to keep pace with changes in technology.

When it is found that a new security issue has arisen the vendor will issue a patch to solve the problem.

Upgrading your software is a necessity for both your office PC's and the website software.

You must be sure that every PC is set to auto upgrade in the office.

Most popular website software like WordPress, Joomla or any other software used has online upgrade ability.

Some can be set to auto upgrade which may not be a good idea to do as sometimes upgrading your website may cause things to not work proper.

I suggest a manual upgrade so that you can quickly go back to a backup or quickly resolve the problem the upgrade caused.

Avoid mistakes when either adding new features or redesigning your website.

Software development should be done on a local PC or a different server.

After proper testing, backup your website and upload the new files.

Delete any older files which are not used anymore.

Many software developers make the mistake of moving the older version of the website to a folder named old or something like that.

This is often done also when manual upgrades are applied.

This is only ok if the old files are completely erased right away.

Making the mistake of leaving older versions of your website on your server / hosting account leaves a door wide open for a hacker.
 

Managing your hosting

The server where your website resides also must be updated with the latest patches.

If your website is on a shared server then this problem falls under the control of the hosting company.

Most hosting companies will provide a safe and secure environment for your website.

Things to check would be does your host provide a Mod security or similar firewall?

Does your host provide either a software or hardware firewall?

On a Windows server, a hardware firewall is highly recommended.

The newest version of PHP which is supported by your software should be used.

If your site resides on either a managed server or VPS hosting then you must have someone capable to manage the server.

This person must be able to update the server and install any patches on a daily basis.

The person you designate as your Admin must keep abreast of the latest security problems which can be found here http://www.cvedetails.com/

A check list is a good idea and one can be found here https://www.process.st/checklist/server-security-checklist/

In addition, scans, depending on the server OS, using anti-virus and a Root kit scanner.

Rkhunter is a good software for Linux or for Windows you can use TDSSKiller and Anti-Rootkit.

Only allow your dedicated IP the ability to FTP or SSH into the server.

Your server is your first line of defense and a well-maintained server which is setup properly and checked for updates daily will prevent a good percentage of hack attempts.
 

Last is proper backup.

Backing up your complete website daily with 7 days retention is a must.
This allows you to fall back any of the past seven days should a mishap take place.
I would prefer even more backups dating back further.

I hope this helps with you have a better understanding of the problems you face securing your website.

Read 307 times Last modified on Saturday, 15 July 2017 00:07

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

 

 

Website Tips Search

Registered User