Previously I discussed ways to monitor for hacking and discover if/when your site had been attacked when you otherwise might not know. Now I’d like to talk about ways to prevent your site being hacked in the first place…
More and more we’re seeing websites being hacked with nefarious content (and links) being injected in order to improve the results of another site. This is the lowest form of black hat SEO and the nasty side of our industry. Unfortunately, it clearly works which is why we’re still seeing it so much. Google aren’t doing enough to stop it and Webmasters aren’t properly securing their websites either.
Keep Your Site Up-To-Date
One of the common problems unwitting Webmasters face is their site becomes vulnerable simply because it’s not been kept up-to-date. WordPress sites are generally a perfect example. WordPress is an extremely popular CMS…
WordPress themselves often report on vulnerabilities and encourage users to update as soon as possible but not all Webmasters are aware of the issue and may leave their site to sit out of date for months (or years) blissfully unaware of the danger.
The other problem is site owners often fear updating due to concerns over breaking functionality. The same logic applies to plugins. WordPress plugins often suffer from vulnerabilities and need updating as well. Keeping your site up-to-date but failing to update plugins may leave it just as open to abuse.
This is just one example. Other platforms such as Magento, Drupal and more will also require patching and updating to keep them secure.
TL:DR – Update your site and plugins regularly to avoid security dangers.
Secure Passwords & Vigilance
It should go without saying but having an insecure password for the admin area of your site is a good way to let hackers in. The same goes for FTP and server access. Splash Data showed the most insecure passwords for 2014 and this list should serve as a disturbing reminder to how vulnerable your site is if you use these sorts of passwords.
Try using a secure password generator/store such as Keypass or Lastpass to ensure complex passwords that can’t be easily broken or guessed.
TL;DR – Secure your admin passwords to avoid hacking.
Relocate & Secure Your Admin Login
Another common problem is the login area for your admin panel is too easy to find.
So here moving the login to somewhere uncommon will make it harder for hackers to find. Better still, if you limit access to this section of the site to just a selection of specific IP addresses this will further reduce the risk.
Some sites also help hackers rather than hindering them. Developers or Webmasters list their admin pages (and other important/secure sections) in the robots.txt file in the hope of stopping Google indexing those pages (and thus preventing people finding them) but any hacker worth his salt will just look here for the complete list of URLs that they shouldn’t be accessing:
TL;DR – Put admin login pages in a non-standard location, restrict them by IP address and don’t attempt to hide them via robots.txt!
Use Trusted Plugins
Many Webmasters fall into the trap of installing a variety of different plugins to ‘improve’ their site, but this in itself can lead to problems if the plugins are poorly coded and not trustworthy. Check before you download and install whether these plugins are well rated by others and be sure to only use plugins from trusted sources. For example, WordPress plugins should only come from the WordPress plugins directory. Check for good quality reviews and do a little Googling to see if there are other people with thoughts on it.
There are some pretty industry standard (trusted) plugins which you can use such as Yoast’s ‘WordPress SEO’ but due to their popularity, they’re also prone to attack so should be kept updated constantly.
TL;DR – Avoid the unknown and do your research!
Backups & Firewalls
You may need to turn to your hosts for this one, but making regular backups of the site and adding firewalls mean an extra layer of protection. Blocking visits from certain countries may also offer another level of protection. Some sites will refuse connections from Russia, China and alike to reduce risk, but this might not always be beneficial – some of your customers may hark from those regions.
Hopefully you’ve found these tips helpful. Let us know in the comments if you have any more!