How can I make my website more secure?

Hacking is often opportunistic and driven by "easy targets". Therefore, it is important to take precautions to secure your website and other online services to make it as difficult as possible for hackers to access your data.

Here are some ways you can portect your website.

Keep your software up to date

Software code can contain flaws that can be exploited maliciously. However, by ensuring that you are always using the most up-to-date version you are taking advantage of the continued vigilance of the software creators in terms of identifying and removing such issues. You can search for known vulnerabilities in software here http://web.nvd.nist.gov/view/vuln/search or here http://www.securityfocus.com/bid. Your best bet is to follow the security lists and announcements for the software you’re using to run your website, and always stay up to date on the latest stable versions.

Limit access

It's important to limit access to the back end of your site to a "need to know" group. You can actually create the site in such a way that access to processes is restricted. It's common practice to harden or lockdown, the access to only the resources that need access. The Web is chock-full of hardening guides, like this one if you’re running a WordPress site. You should try to harden your site on all three levels: the operating system, the web server, and the web application itself.

Make your passwords strong

We all know how difficult it's becoming to remember the seemingly endless list of passwords we require to operate online. But it's important to remember that an insecure password is like leaving your front door open and your wallet on the table. Make sure you’re not using the default password and chose a password that is difficult to guess. If you’re logging in over an insecure protocol like HTTP or FTP, then your password is sent “in the clear”, making it easy to intercept, especially over public Wi-Fi networks. Yes, it might be convenient to update your website from an airport lounge or from a coffee shop, but it’s become far too easy to get your passwords compromised in such places, avoid it where possible.

Monitor your site

It's easy to assume that everything on the site is running smoothly, but how often do you check it? The very last thing you want to hear from a customer is that your site has been compromised - if something happens, it's best that you know about it first.

Your site could also have been exploited to host malware and viruses without looking like anything is wrong at all. To help with those really difficult cases where your site was hacked but does not appear hacked, use Google Safe browsing to detect the hidden malware on your page.

Backup your site

Sometimes the best course of action, if your site has been compromised, is to adopt a restore a backup version that you know is clean. To make this viable, you need to make it a part of your regular maintenance process to create a backup version of the files, content and database.

If you find that your site has been compromised and you cannot clean the site (a web developer can help with this), the best course of action is to take down the current version, revert to a backup and then spend some time looking over the server logs to work out how the weakness was exploited. You can then make corrections to your software and site structure to prevent this from happening again.

If you find your site has been attacked, you should consider taking the following steps:

  • Reset your control panel password
  • Contact your web developer and discuss the situation - they will check the logs to determine how the site was hacked and make changes as required