Your website is not invincible! Security breaches happen more often than you might think, and it is not always to steal your data or deface your website. These hackers think bigger picture and usually have ulterior motives. Sometimes, hackers are looking to use your server as an email relay for spam, or to set up a temporary web server to serve files of an illegal nature. Whatever the intent is, there are measures you should take to ensure your website is secure.
Use Open Source Scripts
Unless you have a well versed development team or you personally understand how to write code, open source scripts like WordPress, Drupal, Joomia, etc. are feature rich, powerful, and are backed by coders for updates and support. This reduces your website to falling victim to hackers and spammers to poorly written code. Commercial scripts can also be deployed if they issue updates and patches regularly.
Upgrade to newer versions of scripts as soon as they are out! Point upgrades will only fix bugs, but a full version upgrade is just as essential. Sometimes upgrades can break customization, so be sure to ask for advice in support forums. Being up-to-date is the best way to avoid data breaches!
Use Strong Passwords
Most platforms feature a strength meter to indicate the complexity of proposed passwords. Passwords like “ilovemusic” or “cookiesncream123” are not supposed to reflect your inner persona as they are supposed to keep things safe. Using a combination of letters, numbers, and special characters, making sure the password is at least 10 characters long, will be your best bet against a threat. Apps like Lastpass and KeePass can help you generate strong passwords and store them well.
Secure Admin Email Address
You should use a totally different email address in your contact page than your admin email address used to login to your webserver, CMS, database, etc. This will help you from not being scammed by a phising email disguised to have been sent by your hosting company or domain registrar.
Password Protect the Database
Although it is not mandatory to enter a database password, it can only help you. It would be a criminal waste to leave another layer of security empty. Database passwords do not slow down the website when querying the database, so there is no reason not to have one!
Delete the Installation Folder
Once the installation process is done there isn’t a need to keep the folder around. It is possible for a hacker to run the installer once again, empty out the database and take control of the website and its content. If you know your way around the web server, you can also opt to rename the folder, but it is strongly recommend to delete it.
Change File and Folder Permissions
Some scripts require full read and write access during installation. This can be achieved by using the 777 code on vital folders like config, admin etc. Revert the file permissions back to their original code, say 755 or 644. A file or folder with full read write code gives easy access to inject malicious code in your website (Stravarius).
Use Secured FTP Access
If your webserver or ISP support SFTP access, jump at the opportunity and upload files to your server in fully encrypted glory. Nobody can tell what you are uploading or downloading to and from the webserver (Stravarius).
Restrict Root Access
Restrict access to certain non-system folders in the case of FTP uploads by people other than the system administrator. Never give access to everyone!
Ensure the Presence of .htaccess File
.htaccess files are often used to specify the security restrictions for the particular directory, and make sure you have not deleted it by accident or if it is there in the first place (Stravarius).
Use Security Plugins
Mature platforms always have plugins to extend the core functionality of the script. Look for plugins that add an extra layer of security and install them. For example, WP Security Scan plugin checks if most of the steps mentioned above have been implemented properly in a WordPress installation (Stravarius).
Read Leading Tech Blogs
This is a no brainer, in order to be at the top of the game, you need to be informed! Always read the latest news on the vulnerabilities, bugs, and attacks on the internet. There will be a time delay before any remedy is issued, so keeping informed will help you make the proper decision to protect your website or to temporarily take it offline.
Stravarius, Justin. “Web.AppStorm.” WebAppStorm RSS. 17 Aug. 2010. Web. 29 Jan. 2015. <http://web.appstorm.net/roundups/self-publishing/15-great-ways-to-secure-your-website/>.