13 rules that will enhance the security of your website

by Sunny Hoi
  1. Utilize Content Delivery Networks (CDN). CDNs such as CloudFlare, SiteLock, and Sucuri are interconnected networks of servers scattered around the world, which automatically route users to the nearest location. For example, when an individual visits a website to view a page, a server node closest to the user’s geographic location delivers the cached website content swiftly and reliably. This reduces the load times of the site, enhancing web content delivery to users and offering accelerated site security. If one server location of a CDN goes down, the traffic will automatically be routed to another location. These CDNs typically offer cloud security solutions for protection against web application attacks and Distributed Denial of Service attacks (DDoS). For a monthly fee, website owners can gain incredible value from a CDN with an integrated custom Website Application Firewall (WAF) and Intrusion Detention System (IDS).
  2. Frequent Backups. If a website gets compromised, attackers may modify or delete your content. No matter how secure a website is, there will always be humans who are interested in intruding a website and finding new security vulnerabilities that can lead to the significant security risks. By making frequent backups, you will not have to worry about starting from scratch.
  3. Avoid cheap, shared hosting. A website in a shared environment will lack security protocols, leading to increased security risks. People who sign up for shared hosting do not possess control over their shared environment and to what happens in that environment. Your website can be secure, but the other website hosted on that same server as yours could already be hacked. The attacker may upload a backdoor shell typically in PHP onto the shared server, granting him access to your website files and possible root access. Many blackhat hackers will target all the other sites hosted on the same shared environment as yours in an effort to hack your website. Or perhaps an attacker may launch numerous DDoS attacks on the shared server IP of your site, slowing every website hosted in the shared environment. Therefore, cloud hosting or dedicated servers are attractive choices due to the segregation of your site from other sites. These options may be significantly more expensive, but you do get what you pay for.
  4. Regular updates to Content Management System (CMS) and server. Regular patches to your CMS platform, security, and operating system retain the servers in their current secure state, reducing malfunctioning. Many of these updates are patches intended to fix security vulnerabilities. For your CMS, you must frequently check for updates to the core files and all CMS plugins to enhance site security. Hiding your CMS files by renaming their names or renaming the directory is pointless. Attackers will use site crawlers to get your site file locations. If you run WordPress and attempt to hide your version, the attacker may still be able to find out or estimate the current version running. Thus, keeping up to date with patches is way more important than running some ridiculous “hide my WP” plugin that promises to provide guaranteed security by attempting to hide the fact that CMS like anything are inherently insecure.
  5. Harden your CMS through the installation of security plugins. Security plugins like Wordfence allow the scanning of CMS files on your server and scans for malware to see if your site has been affected. But don’t get overcarried with installing too many of these security plugins as they may cause conflict with other plugins and cause server slowness.
  6. Use SSL. Encrypt all forms and login pages.
  7. Frequent penetration testing by a security company. By getting a security company that specializes in penetration testing, an accurate security assessment of your website can reveal undiscovered security vulnerabilities. A manual penetration test is much more effective than an automated scan at external network penetration and vulnerability assessments: Automated scanners merely reveal 45% of vulnerabilities at most, according to the Open Web Application Security Project (OWASP) and MITRE Corporation.
  8. Do not hold credit card information. By not correctly handling the security of credit card information, severe financial fines may be imposed. Instead, use a third-party gateway to minimize transactional risk.
  9. Don’t use weak passwords and be aware of social engineering. Passwords like 123456 and abcd are a hacker’s dream. Use Lastpass or 1Password to store and generate strong passwords that stand a much greater chance resisting successful brute-forcing attempts. Also, be cautious of hackers claiming to be technical support and asking for passwords or technical details regarding your site.
  10. Use versioning control software. Being able to fix your site quickly when it gets compromised is key. Hence, SVN or Mercurial is useful.
  11. Platform Level Firewalls. By utilizing platform level firewalls, a strong layer of security is added to the server.
  12. Staging environment. Making content changes in a staging environment that are isolated from production decreases the chances of you messing something seriously up.
  13. Limit access to the admin panel to just a few IP addresses. Hackers use automated scripts that target well-known admin panel directories such as WordPress’s default wp-admin directory. Therefore, you should limit access to these important directories.

Related Posts