Protect your website from hacking (10 security tips)
Why do you need to protect your website?
You may not like to think about it very often, but there are people out there who hack and carry out cyber-attacks on websites. Even if you’re not a huge corporate website and just have a small personal website, security is something you should think about.
You might be wondering, “Why me? Why should I worry about someone hacking my little website?” But unfortunately, websites of all sizes are possible targets.
In my own experience, years ago I had built a (very bad) simple CMS to keep a blog on. I wasn’t marketing it or telling people about it. But someone on the internet found my tiny website! They used SQL injection to fill up my database with links to an illegal prescription website, which then all showed up on my website.
I learned an embarrassing lesson that day: don’t leave your website vulnerable to attacks.
Making your website secure doesn’t have to be incredibly complicated. In fast, just following a few simple precautions when setting up your website will help you avoid the majority of hacking attempts.
I’ve listed out my top 10 list of ways you can make your website secure here.
Protect your server
1. Set up HTTPS and TLS/SSL to encrypt your traffic
Websites by default use HTTP (Hypertext Transfer Protocol) to transmit the website data from the server to the browser. HTTP is like a highway that connects everything on the internet. And this is why you have the “http” or “https” before the website domain.
HTTPS is a Secure version of HTTP. It protects the traffic to a website from being hacked or stolen. This is especially important for eCommerce websites, or websites which store sensitive information from its users like credit cards, phone numbers, or even Social Security numbers.
In a nutshell, HTTPS works by encrypting, or encoding the traffic so it’s not easily interpreted. Unless you have the key to the code, you will have a difficult time breaking it!
These days, more and more websites are moving over to using HTTPS, even if they aren’t eCommerce sites. Google has said that it will rank secure websites higher than insecure websites. It might be a pain for you to switch over, but it’s a good thing, because the more websites are secure, the more secure the internet at a whole will be.
So how do you make your website secure with HTTPS? All you need to do is install an SSL (Secure Sockets Layer) or TLS (Transport Layer Security) certificate on your site. Nowadays, you can do it easily and for free when you buy a domain name. Most web hosts will automatically let you sign up for a free Let’s Encrypt certificate. If you need additionally security, you will have to purchase one. But most small websites that are not eCommerce can get by with this free cert.
One note on TLS or SSL. SSL was the original way to encrypt your traffic. Currently, it’s been replaced by TLS which is more secure, and is becoming obsolete. But because most people are familiar with the term “SSL,” many people just keep saying SSL, even if they mean TLS.
2. Use firewalls to protect unauthorized access
If you are maintaining your own server, you probably have a firewall installed. A firewall is software or hardware that blocks unauthorized connections, and only lets permitted forms of traffic through.
You will generally only want the public access to the HTTP/HTTPS traffic on your server, so that they can load your website in their browser. And you definitely want to restrict public connections to really important or parts of your server that should be kept private, like files unrelated to your site, and databases.
Depending on how much control you have over your server, setting up a firewall should be fairly easy. Even if you don’t have direct control over your firewall, most web hosts will let you block specific IP addresses at the very least.
Another strategy is to prohibit access to things like your website admin page from every IP address except your own. This will keep hackers from even being able to load your login screen, much less attempt to login.
This can be a bit annoying because if you ever need to login from a different location, you’ll have to manually add that IP address to the firewall. But in my mind it’s worth the hassle for the peace of mind.
3. Transfer files securely with SSH/SFTP
Another connection to your web server that you need to protect is how you upload and download your website files. Just like we mentioned with HTTP, the original mechanism, FTP (File Transfer Protocol) is insecure. Even though it uses a username and password combination to connect, that information is stored in plaintext, not encrypted– a really big no-no these days!
FTP has been replaced with SFTP, which stands for SSH (Secure Shell) FTP. SSH is secure because its traffic is encrypted, and it also has a much more protected way of handing logins.
When setting up an SSH connection between your server and your own computer, you can use a pair of cryptographic keys to ensure that only your computer is given access to the server. The keys are made up of a public and private key. The public key is stored on the server itself, and the private key is stored on your computer.
The private key is what gives you access to the server via the public key. When you try to connect to the server, it checks your key and makes sure it is the proper match to the public key. The SSH website likens this relationship to a lock and key situation, where the public key is the lock, and your private key is the unique key that can open that lock.
Another advantage of using keys for SSH access is that once it’s set up on your computer, you don’t have to login every time that you want to connect! Pretty handy, right? However, if you need to access the server from a different computer, you will have to set up another set of public and private keys.
4. Set user permissions to block access to important folders and files
Did you know that all servers allow you to set up users with specific permissions for your website. You can set the permissions for Read, Write, or Execute access for any given file or folder. In addition, those permissions can be set for the Owner (usually the admin), Group (one or more users), or Public (everyone!!).
The way this access is encoded is by using a three-digit number with a certain number of “points” for each digit. Read access has 4 points, Write access 2 points, and Execute access 1 point. And the digits correspond to the different users: the first digit is the Owner, the second digit is the Group, and the third digit is the Public. If no one has any kind of access to the file, it will have a permissions level of 000. If all users have full access to a file, that will have permissions set to 777.
Generally the Owner (usually the system admin, or “sa” user) should have Read and Write access, and Group and Public users should just have Read access. This will result in permissions of 644. For files that need to be executable you can give the Owner Execute access, so it would change the 644 to 744.
One thing you should never do is set all your permissions to 777 — a lot of people do this if they run into permissions issues to quickly fix their problem so their website will work. But this is terrible advice because it gives literally everyone full access to the file, which can obviously be very dangerous. Even though it may be frustrating to have to deal with a “can’t create folder” or “can’t write file” error, it is much safer to figure out what the proper user and permissions level should be.
In general, you definitely don’t want to run your website under the admin user because if the credentials are compromised, a hacker could get complete access to your server. Your website should run under its own user, and you should have yet another user for SSH/SFTP access to transfer files. Keeping these different levels of access separate from one another will help keep your server files secure.
Protect your website
5. Keep CMS and other software up to date
Whether you’re running your site on WordPress, or using a bunch of npm packages, you definitely want to make sure all the software and tools that you’re using is kept up to date.
For WordPress specifically, you need to make sure you stay updated with the WordPress core version, your theme, and your plugins. This is extremely important because the developers always have to make changes to protect against vulnerabilities as time goes on.
The same is true for anti-virus and anti-malware software that you may install or even your server OS.
It’s like trying to keep mice out of your house– you have to keep covering up the holes they chew into your walls. If you don’t update, you will miss crucial fixes and will leave yourself vulnerable to cyber attacks.
Another WordPress tip:
6. Secure your form submissions
Form submissions on a website are one of the most frequently used ways that hackers will attack a website. This is because the form will submit data to your website database or it will run scripts in the user’s browser.
Both of these attacks can be avoided by validating your form fields. This means escaping (removing) any symbols that could be used to run queries or scripts, and otherwise making sure the data submitted is good, clean information.
Ideally, you should use both client and server side validation. Client side validation is useful for tasks like checking that emails and phone numbers are formatted properly, so the user has a chance to correct any mistakes before the final submission.
However, since it works in the browser the validation script itself could get altered maliciously. So you definitely do not want to depend solely on the client side.
Server side validation adds another layer of security to check the data for any malicious information, and is much harder for someone to get by, without actual access to your server. In which case, you likely have a host of other issues on your hands! Check out this Stack Overflow answer about client vs server side validation.
7. Use unique, secure passwords
According to Password Random, an online password generation tool, the #1 most commonly-used password is…. “password.” Even if you’re not silly enough to set that as your password, there are a few tips that you can use to make sure you are using strong, random passwords.
- Don’t use names or words that have any kind of connection to you (or each other) — see this relevant XKCD comic about password strength
- Don’t use any number combinations that you have a connection to, like your birthday, address, or social security number.
- Use long passwords, 20 characters or more if the website allows.
- Don’t reuse passwords across different accounts. Every account or website you log in to should have a unique password.
The easiest way to ensure that your passwords are unique and strong is to use a password manager tool, like LastPass or 1Password. Both have free versions and can generate very secure passwords for you and remember them. You only need to remember the master password to access the tool, and it will do the rest. I personally use LastPass.
Lastly, whether you’re using a password manager or making them up yourself, change your passwords periodically. Obviously the more often the better, but every 6 months should be pretty good.
This is important because especially with all the data breaches happening nowadays, even the most secure password won’t help you if it’s been stolen.
8. Use customized, hard-to-guess names
Similar to your passwords, using random names instead of the default values for your usernames, folders, and even databases can help prevent potential hackers from getting into your website. This is because well-known CMS’s like WordPress are a bigger target for attacks due the huge number of WordPress websites.
If you think about it from the hacker’s point of view, the vast majority of websites will simply use the default names for everything. So changing any or all of those names will increase the chances that a cyber attack based on your CMS will not work.
For example, most admin dashboards have a default username of “admin.” Changing this to something different, unrelated to either “admin” or your website name will make it harder to guess.
You can do the same thing for your CMS and change the default name of folders and database tables if they have a common prefix. For example, in WordPress the tables are all prefixed with “wp_” — changing the prefix makes it harder to gain access to your database.
9. Hide error and console messages
When you launch your website and it’s out of development, don’t forget to hide any error or console messages! These are handy to have when you’re building, but they also leave hints about your website setup, directories, and filenames to the public. It’s just better to hide any extra information that could potentially be used against you.
Depending on your website setup, you can often show a custom error page to website visitors, instead of displaying specific server error information.
And if you’re using WordPress, you can change your settings so that debug errors are either turned off completely, or written to a log file instead of printed on the screen.
10. Backup website files and databases
Lastly, in case the worst happens and you end up losing your website files and/or database information, backups can be a real lifesaver.
Your web host should have a backup feature where they will keep backups of your files and databases for a certain amount of time. For example, my web host, Siteground, takes a backup every night, and keeps backups going back one month.
In addition, if you have WordPress, you can install a backup plugin like BackupBuddy or UpdraftPlus. These plugins will backup your WordPress files and data, as often as you would like. So you can schedule backups to happen on chosen days of the week, and you can store your backups on an offsite location.
Most of the plugins offer integrations with Dropbox, Amazon S3, or other cloud storage locations to keep your backups. You can also save backups to a different location on your server, but it’s much safer to keep them somewhere else.
Website security is one of those things that may take a bit of time and hassle to set up, but can be well worth it if you do experience a cyber attack.
Also, I think it’s important to clear up that there is no 100% absolute guarantee against getting hacked. Think about a home security system, for instance. You know that they can help prevent robberies, but you know that there’s always a chance you will still get stolen from.
These basic guidelines will definitely help protect your website, but if someone is bent on getting access to your website, and has the knowledge and resources to do so, it may still happen.
The good news is, though, that with these tips you can prevent the vast majority of attacks. Unless you’re specifically getting targeted, most hackers are simply looking for the low hanging fruit. They’ll jiggle your door handle, then if they can’t get in easily, they’ll move on to the next target.
I hope you’ve found this article helpful! How do you protect your website? Feel free to leave a comment below!