Most websites are been compromise every day and even the most secured website can be hacked. This is for the sole reason that most website owners feels their website do not contain vital information and as such there is no need for website security. Most of the website that are been hacked in order to setup a temporary web server or use your server as an email relay for spam, normally to render files of an illegal nature. Hacking is usually carried out by automated scripts written to scour the Internet in an attempt to exploit known security issues in software.
Content management system(CMS) such as Joomla, Drupal, Opencart and many others enable one to build an efficient and quick online presence. This CMS’s comprises of highly extensible architectures, modules, extensions and rich plugins which made it easier to build a website and keep it running within a short period of time. But unfortunately some webmasters do not understand how to make their website secure or even know the important of website security.
Here are some security tips to help keep you and your site safe online.
- Software Update
Ensure you keep all your software up to date, this may help secure your website. The software update may include any software installed on the site especially those website built with CMS or forum and sever operating system.
If your site is using managed hosting solution by a hosting company then you don’t need to worry so much about applying security updates for the operating system as the hosting company should take care of this updates.
If your site is using a third party software like CMS then you need to do quick update or apply the security patches. Usually CMS vendors have a mailing list or RSS feed detailing any website security issues. As soon as you login a mail is sent to you about any security patches then do not hesitate to apply it.
You need update as soon as update is released unless you are running a website firewall. This is because many website has been compromise due to lack of software update
- Error Messaging
When you are enabling error messages be extra careful on how much information you give away to your users. Make sure you give minimal errors to users, ensure users don’t give away secrets present on your sever such as database password. Do not give details that will make complex attacks like SQL injection far easier. Show users only the information they need, other details should be kept from them.
Usually most website owners login to their admin using the username admin and also password admin. This is not a good password combination; this can easily be detected by hackers.
If you need to use a strong password, please do check password strength because there are a lot of misconceptions about strong password generation. A good password combination can be combination of letters(upper and lower case), numbers and non-alphanumeric characters.
You do not have to worry about using long password with strong combination, company like LastPass(online) and keepass(offline) can help manage your password. You can read more on password security and choosing a strong password
- One site to Single server
Do not host numerous site on a single server, this is a bad security practice that is very common. There can be huge attack surface when one host many sites on same location.
If you host many sites on one location this can result in all your sites being hacked at the same time, it also makes cleanup process time consuming and difficult. One exploit on one site can affect the other site, the infected sites can reinfect one another in an endless loop.
- Website Security Tools
After you have tried all the necessary thing you can do to secure your site, the next thing to test your website security. There are several ways to do this but the most effective way is using some website security tools which is referred to as penetration testing.
Many website security tools exits which can help you do the testing. There are both commercial and free products to do this. This testing is done by testing all the known exploits and attempt to compromise your site using SQL injection or some other methods.
Some website security tools includes: Nmap, OWASP, Wapiti and many more.
- User Access
This user access rule is applicable to those site having multiple user logins. Every user should be given permission base on what the user is intended to do and once the job is completed reduce the escalated permission.
One access to a user, if people share a user account and an unwanted change is made by that user, how do you find out which person on your team was responsible?. This is to allow you keep an eye on every user behavior through logs reviewing.
There are several tips for securing your websites, the best is to always carry out website security testing on your site to discover loopholes so that you can mitigate it.