5 things you can do in less than 30 minutes to increase website security
Watch a presentation from Perfect Dashboard community webinar and learn a few tricks to increase security of managed websites. Here you can watch a video and I have also included an overview below.
You may not realize that approximately 30,000 websites are hacked every single day. About 80% of websites run outdated version of WordPress or Joomla, which makes them susceptible to hacking. That’s why it is really important to take every chance you can to increase your websites security.
Change passwords and improve authentication
Keeping your password secure is a crucial step. If you are one of those people that use passwords such as “123456” or “password”, which are extremely easy to guess, then you are very likely to get hacked. Of course, long strings of random characters are very difficult to figure out but also hard to remember. That’s why it is best to come up with a password that is easy to remember but hard to guess, for example some long phrase or sentence that is only known to you, also containing punctuation, spaces and capital letters. Make sure to encourage customers and other users of websites you manage to do that too! Now let’s talk about Two Factor Authentication. For those of you who don’t know, it is a technology that provides identification of users by means of the combination of two different components, such as a physical device, or a code received on the mobile phone. There are plenty of tools that provide it, for example Rublon and Two-Factor Authentication Plugin for WordPress, or Google Authenticator and YubiKey for Joomla. It may seem time-consuming, as it requires you to enter information manually, but it will prove highly beneficial. There are also some other precautions to be made, like introducing basic authentication on HTTP, limiting backend access to certain IP, requiring HTTPS/HSTS connection and managing multiple passwords using a password manager, such as LastPass or OnePassword.
Install Firewall and Malware Scanner
It would be best for you to have both of them on a website that you manage. Web Application Firewall protects your website against the vast majority of common attacks. For that we recommend using CloudFlare for WordPress, Admin Tools and RS Firewall for Joomla, and Sucuri for both of them. Malware Scanner is a tool that checks website files against a list of known malwares and alerts you on any modifications. iThemes Security, Admin Tools and Sucuri are good examples of what you can use in this matter. Remember that once website security is compromised, so can be every installed security software on that website. That’s why you can’t fully trust anything that’s installed on the same server as your website, because when it gets compromised, said software will be compromised too.
It is not possible to be 100% secure. You can increase level of security, but still backup is a safe point of return in case of something bad happens. When it comes to backups, first important issue is backup frequency. Every website should be backed up regularly. Frequency of backups should depend on frequency of changes on that website.For example, if there’s a lot of activity going on your website such as posts and comments, you should consider daily backup, but if it’s more of a static type, you can go with monthly backup. Second issue I will point out is backup storage. Remember, that backup should not be stored on the same server as the website, because if a website gets hacked or something else goes wrong, its backup may also be lost. Perfect Dashboard recommends you to store your backups either in our cloud, AWS or any other external disk space. Third and final issue concerning backups is backup integrity. You don’t have a backup unless it can be used for restoration. Our statistics show that 1 out of 10 backups fails integrity testing, usually due to errors while creating backup archives or copying them over the Internet. You can see how to do a proper backup using Perfect Dashboard in the YouTube video included in this article (skip to 14:41).
Get rid of dangerous extensions and themes
Thousands of security bugs are discovered in extensions and themes every year. It relates to free as well as commercial and very popular ones you might not think of. That is why you should always be ready for an update! You never know which extension or theme will require one tomorrow or even today. In order to get prepared for it, you can check if developer uses default updater to inform about security releases (because not all of them do) and also check if developer requires additional payment for accessing the updates. Another matter in this subject is that source is important. Even a trusted extension from an untrusted source is a potential security threat. 4 years ago in Perfect Dashboard we have discovered that our Perfect Contact Form distributed on torrents had a malware injected into the code. So even though the extension itself never had any security issues, those users got hacked. You can read the full story here: Perfect Ajax Popup Contact Form: Free Download = Free virus If there are any extensions from an unknown source on the website that you manage, you should remove them and install new ones from a trusted, secure source, or at least run a Malware Scanner to make sure there is no additional code injected to those extensions. Do not forget to get rid of unused extensions and themes, as they still are a potential threat to your website security. It may also cause further beneficial by increasing performance of a website and decreasing backup size. We suggest removing all unused Themes, Plugins and Widgets when it comes to WordPress websites, and all unused Components, Modules (not the instances), Plugins and Templates for Joomla websites.
Keep software up-to-date
You should keep your CMS updated along with extensions and themes, but it’s also important when it comes to server software (even on shared hosting). For example you should make sure that your PHP has version 5.5 or higher.
It is essential to know how to do an update. First of all you need that there is an update required. Then you have to do a backup to make sure you have a safe point of return. We suggest turning off automatic updates for WordPress, as you may end up with a messed up website without any backup to restore it. When you already have a backup, you should verify its integrity. In some cases you will need to download update files. After the update itself is performed, you still need to test your website to see if everything is okay and fix any possible errors. As you can see this tedious process can be very exhausting, that’s why we figured out it could be automated! That’s how Perfect Dashboard came to existence. You can see the whole updating process performed using Perfect Dashboard in the YouTube video included in the article (skip to 26:34)
You can see the actual presentation here:
5 Things You Can Do In Less Than 30 Minutes To Increase Website Security
Following those 5 steps will help you to significantly increase your websites security. So I hope we were helpful, and also don’t forget to share your knowledge with other people to make our community safer!