It is now easier than ever to create a website for yourself or your business with the help of CMS platforms such as Wordpress, Joomla and Drupal. These feature-rich frameworks allow users of all abilities to have a website up and running in a matter of minutes. You can even create an e-commerce website in as little as a few hours.
Whilst being able to launch a website with little knowledge is great for personal and small business websites, it is important to learn about how to secure your website to avoid having your site hacked in the future.
- 65% of cyber-attacks target small / medium sized businesses
- There is a hacking attempt every 39 seconds
- Since 2013 there are 3,809,448 records stolen from breaches every day
You may think that as a personal blog owner, there is nothing on your website worth hacking and everything you add to the website is public so there is no need to secure the website, so why worry? The fact is the majority of hacks take place so the hacker can use the hosting platform you pay for! Hackers will use the platform to send out spam emails, host malware for download or even to hack other websites.
Tips on keeping your site secure
There are a number of steps you can take in order to keep your website and ultimately your data secured;
Keep your website up to date!
This is one of the most important things you can do to ensure the site stays secure. Most hacks are carried out by automated systems that scan the internet for vulnerabilities in outdated software. The automated tools then check the site against databases such as ‘WP Vuln DB’ which lists vulnerabilities in WordPress versions and plugins. There are similar databases for other CMS available. Keeping your site, plugins, themes etc up to date will ensure any vulnerabilities are patched as soon as they are found. Most CMS have an automatic update feature, enable this to increase security. If your updates do not happen automatically, it’s important to go into your website and update them.
Use unique passwords
For years now, hackers have compromised databases to siphon customers data. With this data the hackers can either sell the combination of email addresses and passwords for testing against other websites (Netflix, Clubcards, Your bank etc.) or simply sell the email addresses for spamming purposes. Nowadays most websites encrypt the passwords for storage, this is especially true for CMS such as Wordpress and Joomla. However, due to leaks in the past there are already billions of personal details available for use by malicious actors. You can see if your data is on any of these databases by searching your email address here: https://haveibeenpwned.com/.
This is why it is important to use unique passwords for each website, so if a 3rd party site is compromised and you are using the same username and password, the hacker cannot then login to your website.
If you have trouble remembering individual passwords, you may wish to use a password manager such as LastPass to increase the security. LastPass will store all your individual passwords and allow you to have (a crazy looking) 21-digit passwords but you only have to remember the password for LastPass. It goes without saying though, that you need to have a unique and strong password for LastPass too!
It is important to remember that whilst plugins are super useful and can provide functionality that is not available in the vanilla version of the CMS, these plugins are developed by individuals and are not vetted by the CMS developer for security or performance.
If you can avoid using plugins you should, for example the ‘Really Simple SSL plugin’ for WordPress is used to change WordPress to HTTPS://, however this can easily be done from within the settings section and likely takes less time to do than finding and installing the plugin.
There are 3 things you really need to lookout for when choosing a plugin:
- Last updated date – Constant updates will mean it is being actively worked on and any security issues will likely be resolved fairly quickly.
- The number of installs – If there are two plugins that do the same job and one plugin as 1 Million+ Installs and the other has 1,000 installs, it is more likely the plugin with the higher number of installs is not only more useful, but more secure.
- Trusted Sources – You should always use the official plugins where possible. If there are no official plugins for your requirements, ensure you follow the above points. Do not install pirated versions of plugins as these will more than likely contain malware to infect your site.
The security used on the login pages can affect the likelihood of attack by automated systems, such as brute force or logins from hacked databases. There are a number of steps you can take to secure the login page not only for yourself, but for your users as well.
Use 2 Factor Authentication (2FA) for the login page - 2FA means that once the username and password have been entered, the user is required to enter a second piece of information in order to continue. The second bit of information could be a text containing a unique code or an automated one-time password generator such as Yubikey. This will stop people from using stolen data to login.
Restrict login page access - If you are not expecting users to login to the website, you can IP restrict the login page so only your IP can access and login to the login page.
Do not use Shared accounts – It is important that each user to your website has their own login for accountability and monitoring purposes. If an unwanted change is made by shared user account, how do you find out which account made the change?
Install an SSL
Having an SSL will not stop hackers from attacking the website, however what it will do is protect the login page and any other data being entered on to the website (such as credit card details) being seen by anyone else on the network.
This is especially useful when using a public Wi-Fi point (coffee shop/public transport) as anyone else on the Wi-Fi network can see who is connected and in certain cases read the data being shared.
An analogy for this would be if you send a postcard in the post, there is nothing stopping the postman from reading the postcard. However, if you put the postcard in an envelope the postman would be unable to read it. Likewise, without an SSL you are sending the data in plaintext (on a postcard) however, if you install an SSL this puts the postcard in an envelope (encrypts the data) so it can only be read by the destination server (the website).
Conclusion (And reading material)
It is easy to get lost and become unsure of where to start when it comes to securing your website, the good news is, it is likely well documented online already and you just need to know what to look for. That is why I have included some search terms you can enter into Google (in bold) to learn about how to implement some of the changes I have talked about above.
How to enable automatic updates in *Enter your CMS here* - Learn how to enable automatic updates for your CMS (Wordpress, Joomla, Drupal etc.)
IP restrict *Enter your CMS here* login page – Learn how to use the .htaccess file to restrict the login to your IP only
LastPass – This is a great tool to manage password and allow you to use unique passwords without having to remember them.
How to implement 2FA on *Enter your CMS here* - Learn how to add a 2FA method into your website to secure yourself and your clients.
*Enter your CMS here* vulnerability database – See a list of all the vulnerabilities currently open for your CMS or any of your CMS plugins or themes.
If you have any questions, our support team are available 24/7. You can get in touch with us via support ticket, live chat or telephone, here.