As a website owner, it's a horrible nightmare when your website are being hacked or seeing all of your files being maliciously modified or wiped out completely. Securing your website is very important. Even though you don't think your site has anything worth being hacked for, in fact, most of the hackers don't care about your website content, they hack your web server and use your server to perform other malicious acts. For example, to be part of DDOS attack.
Every year, big organisations invest million of dollars in enterprise threat detection, firewall software & hardware and security audit. However, if you don't have budget to spend in security, here we have a few tips to secure your website without incur any costs.
It sounds like a simple thing, but keeping your scripts updated are vital. It can be a tedious task but it shouldn't be ignored. Most of us are using Open-source solutions, which means the source code is easily available to anyone with scripting knowledge to find security holes. Therefore, if you are running popular open-source CMS platform such as WordPress, you need to ensure you have the latest version and update all the plugins and themes.
We all know it's important to choose a complex password, but for the sake of convenience, most of us don't. It's important to use strong passwords to your server and website admin. It's the most basic way to enhance your security.
You can strengthen the login process easily by installing or implement Two Factor Authentication to your CMS. For WordPress user, it's very simple. You only need to install a plugin, get Google Authentication app, simple setup process and you're ready to go.
If you're running online store, you need to have HTTPS enabled by investing in an SSL certificate. It's a common knowledge to all online users nowadays - the green lock that appears in the address bar indicates the website trustworthy and safe to provide sensitive data such as credit card information.
Furthermore, you will rank better in Google search result because Google said so.
Not everyone knows all the technical stuff to secure a website. It's a very steep learning curve and probably will take a while if you do it manually. However, If you're using WordPress, there're a reputable one called Wordfence Security. It's 100% free and open-source security software created by a group of WordPress security experts. Once you installed and enabled Wordfence, the security of your website will be upgraded tremendously.
If your website have file upload feature, make sure server validations are implemented correctly. If you expect user to upload image files, make sure only image files such as gif, jpg, png can be uploaded. Without validations, you open a huge security hole to your server. Hacker can easily upload an executable malicious script and take over your server easily.
There're a few more ways to reduce the chances of being hacked - by hiding any information about your platform and web server that could jeopardise your security. For example:
- Hide the software version number,
- Change the default "admin" username to something else,
- Instead of display raw server errors, make sure those exceptions are being handled with user friendly error messages,
- Make sure your website debug or test mode is turned off.
- Change the default Admin login URL if possible