The Ultimate Guide For Website Security
I have been in the hosting industry for a while now and I have seen 100’s websites getting hacked most of them are open source CMS like WordPress, Magento, and others.
Well, you have worked hard for making your website look that awesome and even worked harder by bringing those priceless visitors, now it’s time to make sure it stays that way, no one wants to see that ugly-looking hacker page on your website.
You may think that your website is not worth hacking, but most of the hacking is done by automated scripts, just to show how smart they are or attempts to use your server as an email relay for spam, or to set up a temporary web server, normally to serve files of an illegal nature.
Once you are done with your backup solution, We can proceed towards your website security.
Table of Contents
Always Keep Your Softwares Updated
If you are using our Linux Shared Hosting or Windows Shared Hosting, At the server end, we always keep our software updated to the latest release, Like PHP, Apache, and MySQL but as a website owner you should also keep track of your CMS like WordPress, Magento or any open-source application update. If you are using custom code’s make sure you keep track of depreciated functions. For example here is the list of Deprecated features in PHP 5.3.x
Avoid Common Error Messages
Think before you give error messages to your visitors and about how much information you give away in your error messages. e.g if you have a login form on your website with two fields like username/password then you should use generic messages like “Incorrect username or password” not Incorrect username for wrong username and Incorrect Password for the wrong password. If an intruder tries a brute force attack to get a username/password and the error message gives away clues that one of the fields is correct then the attacker knows he has one of the fields and can concentrate on the other field.
If you are using any kind of Form in your website always keep captcha verification and all validation should be done from the client and server-side both. Just to make sure the user is not manipulating java scripts.
Ok, I must have put this in the number one point on my list. But it’s never too late, everyone knows that you should have a strong password but remember you should have a strong password for your Webmail / Cpanel / Plesk and even your admin area. If you have an admin area and you are using Linux Shared Hosting can put the double password (2 levels of security ) by putting this code in your .htaccess file.
create a .htaccess file and upload it in /admin/ directory (in WordPress /wp-admin/ ). Then add the following codes in there:
AuthName “WordPress Protected Area”
Allow from all
Allow from all
replace the folder path in Line #3, Switch to the Main root folder (/home/public_html), open the .htaccess file for editing (Or create) and add the following lines:
#Do not display Authorization Error Message
#Instead, redirect to the blog home page
ErrorDocument 401 /
Save the file and you are done. All users of your WordPress / Admin (including you) will now have to enter two passwords to access the WordPress / Admin dashboard.
If you are using Cpanel, You can password protect the directory by login into Cpanel >> Password Protect Directories (The Easy Way 😉 )
Using Secure FTP mode
Recently google has announced that “We will give priority to the website having SSL certificate in ranking as one of their ranking factors” now imagine how important is SSL certificates for your website.
Remove unwanted files
Most of us have this bad habit of keeping old code files or even unused theme files in WordPress. Remove any such files, Plugins, or themes you no longer require. As attackers may use them as easy prey as most of them are an outdated bunch of code.
Hopefully, these tips will help keep your site and information safe.
Leave a Comment
Subscribe: Trusted By 1M+ Readers
Get the weekly Tech Update straight to your inbox.