Having a website has become easier than ever due to the proliferation of great tools and services in the web development space. Content management systems (CMS) like WordPress, Joomla!, Drupal, Magento, and others allow business owners to build an online presence rapidly. The CMS’s highly extensible architectures, rich plugins, and effective modules have reduced the need to spend years learning web development before starting to build a website.
The ease of launching an online business or personal website is great. However, there are some negative side effects. We see many webmasters who do not understand how to make sure their website is secure. There is a misunderstanding when it comes to the importance of securing their website, and whose responsibility it is.
Today, let’s see what are the top 10 steps all website owners should take to keep their website secure.
This is something we cannot stress enough here at Sucuri. Countless websites are compromised every day due to outdated and insecure software.
It is incredibly important to update your site as soon as a new plugin or CMS version is available. Those updates might just contain security enhancements or patch a vulnerability.
Most website attacks are automated. Bots are constantly scanning every site they can for any exploitation opportunities. It is no longer good enough to update once a month or even once a week because bots are very likely to find a vulnerability before you patch it.
This is why we recommend using a website firewall, which will virtually patch the security hole as soon as updates are released.
If you have a WordPress website, I personally recommend the plugin ‘WP Updates Notifier‘. It emails you to let you know when a plugin or WordPress core update is available.
Having a secure website depends a lot on your security posture. Have you ever thought of how the passwords you use can threaten your website security?
In order to clean up infected websites, we often need to log into a clients’ site or server using their admin user details. It is shocking how insecure root passwords can be. With logins like admin/admin you might as well not have any password at all.
There are many lists of breached passwords online. Hackers will combine these with dictionary word lists to generate even larger lists of potential passwords. If the passwords you use are on one of those lists, it is just a matter of time before your site is compromised.
Our tips for you to have a strong password are:
These brilliant tools store all your passwords in an encrypted format and can easily generate random passwords at the click of a button. Password managers make it possible to use strong passwords by taking away the work of memorizing weaker ones or jotting them down.
We understand that hosting many websites on a single server can seem ideal, especially if you have an ‘unlimited’ web hosting plan. Unfortunately, this is one of the worst security practices we commonly see. Hosting many sites in the same location creates a very large attack surface.
You need to be aware that cross-site-contamination is very common. It’s when a site is negatively affected by neighboring sites within the same server due to poor isolation on the server or account configuration.
For example, a server containing one site might have a single WordPress install with a theme and 10 plugins that can be potentially targeted by an attacker. If you host 5 sites on a single server now an attacker might have three WordPress installs, two Joomla installs, five themes and 50 plugins that can be potential targets. To make matters worse, once an attacker has found an exploit on one site, the infection can spread easily to other sites on the same server.
Not only can this result in all your sites being hacked at the same time, it also makes the cleanup process much more time consuming and difficult. The infected sites can continue to reinfect one another, causing an endless loop.
After the cleanup is successful, you now have a much larger task when it comes to resetting your passwords. Instead of just one site, you have a number of them. Every single password associated with every website on the server must be changed after the infection is gone. This includes all of your CMS databases and File Transfer Protocol (FTP) users for every single one of those websites. If you skip this step, the websites could all be reinfected again and you are back to square one.
This rule only applies to sites that have multiple users or logins. It’s important that every user has the appropriate permission they require to do their job. If escalated permissions are needed momentarily, grant it. Then reduce it once the job is complete. This is a concept known as Least Privileged.
For example, if someone wants to write a guest blog post for you, make sure their account does not have full administrator privileges. Your friend’s account should only be able to create new posts and edit their own posts because there is no need for them to be able to change website settings.
Having carefully defined user roles and access rules will limit any mistakes that can be made. It also reduces the fallout of compromised accounts and can protect against the damage done by ‘rogue’ users. This is a frequently overlooked part of user management: accountability and monitoring. If multiple people share a single user account and an unwanted change is made by that user, how do you find out which person on your team was responsible?
Once you have separate accounts for every user, you can keep an eye on their behavior by reviewing logs and knowing their usual tendencies, like when and where they normally access the website. This way, if a user logs in at an odd hour, or from a suspicious location, you can investigate.
Keeping audit logs are vital to keeping on top of any suspicious change to your website. An audit log is a document that records the events in a website so you can spot anomalies and confirm with the person in charge that the account hasn’t been compromised.
We know that it may be hard for some users to perform audit logs manually. If you have a WordPress website, you can use our free Security Plugin that can be downloaded from the official WordPress repository.
Today’s CMS applications (although easy to use) can be tricky from a security perspective for the end users. By far the most common attacks against websites are entirely automated. Many of these attacks rely on users to have only default settings.
This means that you can avoid a large number of attacks simply by changing the default settings when installing your CMS of choice.
For example, some CMS applications are writeable by the user – allowing a user to install whatever extensions they want.
There are settings you may want to adjust to control comments, users, and the visibility of your user information. The file permissions, (which we will discuss later) are another example of a default setting that can be hardened.
You can either change these default details when installing your CMS or later, but don’t forget to do it.
The CMS applications extensibility is something webmasters usually love, but it can also pose one of the biggest weakness. There are plugins, add-ons, and extensions that provide virtually any functionality you can imagine. But how do you know which one is safe to install?
Here are the things I always look for when deciding which extensions to use:
Having a hacked website is not something you would like to experience, but you don’t want to be caught off guard in case the worst happens.
Having website backups is crucial to recovering your website from a major security incident. Though it shouldn’t be considered a replacement for having a website security solution, a backup can help recover damaged files.
A good backup solution should fulfill the following requirements:
Get to know your web server configuration files:
Most often found in the root web directory, server configuration files are very powerful. They allow you to execute server rules, including directives that improve your website security.
If you aren’t sure which web server you use, run your website through Sitecheck and click the Website Details tab.
Here are a few rules that I recommend you research and add for your particular web server:
SSL is the acronym for Secure Sockets Layer. It is the standard security technology for establishing an encrypted link between a web server and a browser.
I was hesitant to include SSL as a tip to improve your website security because there is a lot of misleading information suggesting that installing SSL will solve all your security issues.
Let’s be clear: SSL does nothing to protect your site against malicious attacks and does not stop it from distributing malware.
We have written a blog post to explain the difference between SSL and website security.
SSL encrypts communications between Point A and Point B – aka the website server and visitor’s browser. This encryption is important for one specific reason. It prevents anyone from being able to intercept that traffic, known as a Man in the Middle (MITM) attack. SSL is a great way to protect passwords and credit card info (as well as other sensitive data) and initiatives like Let’s Encrypt have made it freely accessible.
With the push from Google to label HTTP website as “Not Secure”, SSL is crucial for all websites. Forcing HTTPS is unavoidable for e-commerce websites and for any website that accepts form submissions with sensitive user data or Personally Identifiable Information (PII).
The SSL certificate protects your visitors’ information in transit, which in turn protects you from the fines and legal issues that come along with being found noncompliant with PCI DSS.
If you are thinking about installing SSL on your site, you can follow our guide to learn more.
File permissions define who can do what to a file.
Each file has 3 permissions available and each permission is represented by a number:
If you want to allow multiple permissions, simply add the numbers together, e.g. to allow read (4) and write (2) you set the user permission to 6. If you want to allow a user to read (4), write (2) and execute (1) then you set the user permission to 7.
There are also 3 user types:
So, if you want the owner to have read & write access, the group to have only-read access, and the public to have no access, the file permission settings should be:
When you view the file permissions this will be shown as 640.
Folders also have the same permissions structure. The only difference is that the ‘execute’ flag allows you to make the directory your working directory. You will usually want this on.
Most CMS installs have all the permissions correctly configured by default. So why did I just spend so much time explaining how permissions work? When searching for solutions to permissions errors, all over the web you will find misinformed people advising you to change file permissions to 666 or folder permissions to 777.
This advice will usually fix any permissions errors, but it is terrible advice from a security perspective.
If you set a file permission to 666 or folder permission to 777 you have just allowed *anyone* to insert malicious code or delete your files!
If you follow these relatively simple steps you will increase the security of your website. While these steps alone will not guarantee that your site is never hacked, following them will stop the vast majority of automated attacks, reducing your overall risk posture.
Being aware of these issues and understanding them will provide you with valuable insight into how the underlying technology works. It will also help to make you a better webmaster/site operator.