The Ultimate Guide For : Website Security
I have been in hosting industry from a while now and I have seen 100’s of website getting hacked most of them are open source CMS like WordPress, Magento and others.
Well you have work hard for making your website look that awesome and even worked harder by bringing those priceless visitors, now it’s time to make sure it stays that way, no-one want to see that ugly looking hacker page in your website.
You may think that you website is not worth hacking, but most of the hacking is done by automated scripts, just to show how smart they are or attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature.
Once you are done with your backup solution, We can proceed towards your website security:
- Always Keep Your Softwares Updated:
If you are using our Linux Shared Hosting or Windows Shared Hosting, At server end we always keep our software updated to latest release, Like PHP, Apache and MySQL but as a website owner you should also keep track of your CMS like WordPress, Magento or any open source application update. If you are using custom code’s make sure you keep track of depreciated functions. For example here is the list of Deprecated features in PHP 5.3.x
- Avoid Common Error Messages: Think before you give error messages to your visitors and about how much information you give away in your error messages. e.g if you have a login form on your web site with two fields like username / password then you should use generic messages like “Incorrect username or password” not Incorrect username for wrong username and Incorrect Password for wrong password. If an intruder tries a brute force attack to get a username / password and the error message gives away clues that one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field.
- Form Security:If you are using any kind of Form in your web site always keep captcha verification and all validation should be done from client and server side both. Just to make sure the user is not manipulating java scripts.
- Password: Ok, I must have put this in number one point in my list. But it is never too late, Everyone know that you should have a strong password but remember you should have a strong password for your Webmail / Cpanel / Plesk and even your admin area. If you have admin area and you are using Linux Shared Hosting can put the double password (2 levels of security ) by putting this code in your .htaccess file.
create a .htaccess file and upload it in /admin/ directory (in WordPress /wp-admin/ ). Then add the following codes in there:
[su_code scroll=”1″]AuthType BasicAuthName “WordPress Protected Area”AuthUserFile /home/peter/admin/passwordsRequire valid–user<Files admin–ajax.php>Order allow,denyAllow from allSatisfy any</Files><Files “\.(css|gif|png|js)$”>Order allow,denyAllow from allSatisfy any</Files>[/su_code]
replace the folder path in Line #3, Switch to the Main root folder (/home/public_html), open the .htaccess file for editing (Or create) and add the following lines:
[su_code scroll=”1″]#Do not display Authorization Error Message#Instead, redirect to the blog home pageErrorDocument 401 /[/su_code]
Save the file and you are done. All users of your WordPress / Admin (including you) will now have to enter two passwords to access the WordPress / Admin dashboard.
If you are using Cpanel, You can password protect directory by login into Cpanel >> Password Protect Directories (The Easy Way 😉 )
- Using Secure FTP mode:
Always use FTPS or FTP over TLS to upload download files to your server.
Recently google has announced that “We will give priority to the website having SSL certificate in ranking as one of their ranking factors” now imagine how important is SSL certificates for your website.
- Remove unwanted files:
Most of us have this bad habit of keeping old code files or even unused theme files in WordPress. Remove any such files, Plugin or theme you no longer require. As attacker may use them as easy pray as most of them are an outdated bunch of code.
Hopefully these tips will help keep your site and information safe.