Previously I discussed ways to monitor for hacking and discover if/when your site had been attacked when you otherwise might not know. Now I’d like to talk about ways to prevent your site being hacked in the first place…
More and more we’re seeing websites being hacked with nefarious content (and links) being injected in order to improve the results of another site. This is the lowest form of black hat SEO and the nasty side of our industry. Unfortunately, it clearly works which is why we’re still seeing it so much. Google aren’t doing enough to stop it and Webmasters aren’t properly securing their websites either.
This screenshot shows first page results for a search for a Viagra alternative. It’s quite clear without even visiting these websites that they don’t sell this drug. One is a library, another is a Scottish institute and the final example (from this small selection) is a Pizza site. You’ll note that this search returns over 11 million results. I don’t like to think how many of those are unrelated websites that have been hacked. It’s a sad state of affairs. So what’s the solution? How do you protect yourself? Well, there are a few steps you can take to do so (though even doing so might not offer 100% protection unfortunately).
Keep Your Site Up-To-Date
One of the common problems unwitting Webmasters face is their site becomes vulnerable simply because it’s not been kept up-to-date. WordPress sites are generally a perfect example. WordPress is an extremely popular CMS…
A quick Google search shows there are millions of sites out there running the system. So it’s easy to see why they’re such a target. If a hacker finds a vulnerability in one of these sites, chances are it also exists on thousands of other sites, all of which could be hacked in turn.
WordPress themselves often report on vulnerabilities and encourage users to update as soon as possible but not all Webmasters are aware of the issue and may leave their site to sit out of date for months (or years) blissfully unaware of the danger.
The other problem is site owners often fear updating due to concerns over breaking functionality. The same logic applies to plugins. WordPress plugins often suffer from vulnerabilities and need updating as well. Keeping your site up-to-date but failing to update plugins may leave it just as open to abuse.
This is just one example. Other platforms such as Magento, Drupal and more will also require patching and updating to keep them secure.
TL:DR – Update your site and plugins regularly to avoid security dangers.
Secure Passwords & Vigilance
It should go without saying but having an insecure password for the admin area of your site is a good way to let hackers in. The same goes for FTP and server access. Splash Data showed the most insecure passwords for 2014 and this list should serve as a disturbing reminder to how vulnerable your site is if you use these sorts of passwords.
It’s important to have processes in place to use secure passwords that aren’t shared with others in a way that could easily be intercepted and abused by hackers. Sending logins (username and passwords) via email should be a no-no.
Try using a secure password generator/store such as Keypass or Lastpass to ensure complex passwords that can’t be easily broken or guessed.
TL;DR – Secure your admin passwords to avoid hacking.
Relocate & Secure Your Admin Login
Another common problem is the login area for your admin panel is too easy to find.
If you’ve got a WordPress installation the chances are your admin login is reachable by http://www.example.co.uk/wp-admin/ that /wp-admin/ page appears on millions of other sites and is far too easy to find and subject to a brute force attack. For Magento and Drupal sites you’ll find the login at /admin/ or /administrator/ or something similar, it’s usually easy enough to guess.
So here moving the login to somewhere uncommon will make it harder for hackers to find. Better still, if you limit access to this section of the site to just a selection of specific IP addresses this will further reduce the risk.
Some sites also help hackers rather than hindering them. Developers or Webmasters list their admin pages (and other important/secure sections) in the robots.txt file in the hope of stopping Google indexing those pages (and thus preventing people finding them) but any hacker worth his salt will just look here for the complete list of URLs that they shouldn’t be accessing:
So don’t fall into this trap either!
TL;DR – Put admin login pages in a non-standard location, restrict them by IP address and don’t attempt to hide them via robots.txt!
Use Trusted Plugins
Many Webmasters fall into the trap of installing a variety of different plugins to ‘improve’ their site, but this in itself can lead to problems if the plugins are poorly coded and not trustworthy. Check before you download and install whether these plugins are well rated by others and be sure to only use plugins from trusted sources. For example, WordPress plugins should only come from the WordPress plugins directory. Check for good quality reviews and do a little Googling to see if there are other people with thoughts on it.
There are some pretty industry standard (trusted) plugins which you can use such as Yoast’s ‘WordPress SEO’ but due to their popularity, they’re also prone to attack so should be kept updated constantly.
TL;DR – Avoid the unknown and do your research!
Backups & Firewalls
You may need to turn to your hosts for this one, but making regular backups of the site and adding firewalls mean an extra layer of protection. Blocking visits from certain countries may also offer another level of protection. Some sites will refuse connections from Russia, China and alike to reduce risk, but this might not always be beneficial – some of your customers may hark from those regions.
Hopefully you’ve found these tips helpful. Let us know in the comments if you have any more!