10 Ways to Protect Your Website from Hackers. The other day, there was a rumour that it was a hack that caused the worldwide Zuckerberg Apps shutdown. Who knows?
Why do people get hacked?
It is important to understand that websites are compromised literally all of the time, and the majority of security breaches are not to steal your data, or deface your website, but instead have the intention of using your server as an email relay for spam, or to setup a temporary web server in which to serve files that are illegal in nature.
That being said, you’ll need to protect your website from hackers – just in case. How?
How to protect your website from hackers
1. Update your site.
If you’re using WordPress, then they make it easy by releasing security patches every once in a while. Do not leave them unattended to. Always UPDATE. One of the biggest issues is that as WordPress is such a popular CMS, there’s a lot of knowledge out there about how to compromise it, and exploit security holes.
If the reason behind the update is a security vulnerability, delaying an update exposes you to attack in the interim period.
Hackers can scan thousands of websites an hour looking for vulnerabilities that will allow them to break in.
2. Limit access control.
How many people have access to your admin page? How many can upload? This is very important. Also, enforce user names and passwords that can not be guessed. Change the default database prefix from “wp6_” to something random and harder to guess. Limit the number of login attempts within a certain time, even with password resets, because email accounts can be hacked as well.
3. Install security applications.
There are some free software/wordpress apps that will help you protect your website from hackers. I wrote about them here.
4. Use SSL/HTTPS
SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser. Companies and organizations need to add SSL certificates to their websites to secure online transactions and keep customer information private and secure.
Use an encrypted SSL protocol to transfer users’ personal information between the website and your database. This will prevent the information being read in transit and accesses without the proper authority.
While an SSL certificate has always been essential for eCommerce websites, having one has recently become important for all websites. Google released a Chrome update in 2018. The security update happened in July and alerts website visitors if your website doesn’t have an SSL certificate installed. That makes visitors more likely to bounce, even if your website doesn’t collect sensitive information.
5. Go Wild with Passwords.
Complex passwords are wise, but not everyone heeds this advice. Using strong passwords is crucial in relation to your server and website admin areas, but it is equally as important to insist users – if you have a membership website, for instance – follow good practice passwords in order to maintain the security of their accounts.
Password practices should be enforced that require a minimum of eight characters, and include at least one numerical digit as well as one uppercase letter to better protect their information.
6. Backup EVERYTHING
Honestly, even if you do steps 1 – 5, human error is still bound to happen. So one of the best ways to protect your website from hackers is to BACKUP EVERYTHING.
I wrote about how to backup your wordpress website here.
While a data breach will be stressful no matter what, when you have a current backup, recovering is much easier. You can make a habit out of manually backing your website up daily or weekly. But if there’s even the slightest chance you’ll forget, invest in automatic backups. It’s a cheap way to buy peace of mind.
Back up on-site, back up off-site, back up everything multiple times a day.
7. Do you really need File Uploads?
File uploads are a major concern. No matter how thoroughly the system checks them out, bugs can still get through and allow a hacker unlimited access to your site’s data. The best solution is to prevent direct access to any uploaded files.
When anyone has the option to upload something to your website, they could abuse the privilege by loading a malicious file, overwriting one of the existing files important to your website, or uploading a file so large it brings your whole website down.
But eliminating file uploads isn’t an option for all websites. Some types of businesses, like accountants or healthcare providers, need to give customers a way to securely provide documents.
If you need to allow file uploads, take a few steps to make sure you protect yourself:
- Create a whitelist of allowed file extensions. By specifying which types of files you’ll accept, you keep suspicious file types out.
- Use file type verification. Hackers try to sneakily get around whitelist filters by renaming documents with a different extension than the document type actually is, or adding dots or spaces to the filename.
- Set a maximum file size. Avoid distributed denial of service (DDoS) attacks by rejecting any files over a certain size.
- Scan files for malware. Use antivirus software to check all files before opening.
- Automatically rename files upon upload. Hackers won’t be able to re-access their file if it has a different name when they go looking for it.
- Keep the upload folder outside of the webroot. This keeps hackers from being able to access your website through the file they upload.
8. Choose good themes and plugins.
To protect your website from hackers, we strongly advocate the use of good plugins and themes for your website. ‘Good’ is relative, but for us, good is:
– A plugin/theme that consistently releases updates, and keeps patching any vulnerability
– Plugins/themes developed by reputed developers and brands. If you’re buying from a marketplace, make sure you trust the developer and not just the marketplace
– Plugins/themes with active installations
– Paid plugins and themes. Paid plugin vendors spend more time and money on finding and patching vulnerabilities. If you’re on a very tight budget, then a free plugin will make more sense. But if you’re worried about your website’s security, we highly recommend using premium themes and plugins instead.
9. Protect your website from hackers by using good Hosting
Everyone knows I’m a huge fan of InMotion Hosting. Very overpriced, I admit, but the peace of mind I get is unrivalled.
Read about InMotion Hosting here.
10. Regular Security Checks
Regular security checks will help uncover unsafe practices as well as potential vulnerabilities in your website. By keeping an eye on the happenings of your website—via an activity log, or reviewing users, for example — you will save yourself a ton of grief in the long term.