Thursday, February 9, 2017

Basic Guide to Website Security Best Practices

Every online user wants to have a secured time in online while browsing the web. Whether you own a website or you are just a visitor, you should definitely demand safety. As a business owner, you want to make your customers feel safe when visiting your site.

Nothing can kill your online credibility quicker than someone coming to your site and getting infected with malware, or seeing your site is hacked. If you want to take the basic steps that every webmaster should then follow the steps below:

1. Backup - See previous section.

2. Assess Third Party Vulnerabilities - If you are using any third party website platforms (WordPress, Joomla, etc...), plugins, themes or other software, then make sure you assess their vulnerabilities. Any of these programs can be a weakness thru which hackers can attack. To limit your vulnerabilities make sure you have the latest stable version of any software or scripts you use on your website.

3. Choose Good Login Names - We talked about passwords in an earlier chapter, but one thing people do online that is super frustrating, is ignore their login name. The login name is another area where you can throw in some variety to stifle potential hackers. Whether it is a log in name for your FTP, your database or a WordPress installation make sure you don’t just stick with the default, something like “admin” is a bad choice. Don’t just hand a hacker your login name by using one of those defaults. Make them figure out your password AND login name if they want to hack you.

4. Choose Good Passwords - The first chapter here explains all you need to know about passwords. The same rules for protecting your home computer, apply here.

5. Encrypt Your Database - Make sure you use some sort of encryption for any passwords that are in a database. If you use WordPress it encrypts passwords in your database automatically. The downside is, if you forget your password and look for it in the database you will only see an encrypted mess. The good news is, so will anyone trying to find your password.

6. Turn Off Directory Listings - By default the directories on your site that don’t have an index.htm in them, like say an image directory, will display a list of all files in that folder if someone stumbles across it. You might not want people seeing a list of your directory contents. To avoid this, simply throw a blank index.htm into the directory.

7. Access Your Site From Secure Computer - We talked about securing your computer in the first section of this guide. Make sure you access the backend your website from a computer that is properly secured. You also want to make sure you only access your website on secure connections. Don’t FTP into your website at the local Starbucks.

8. Apache: Mod_Security: This is a step for the tech savvy. First thing to consider is some hosts won’t support this, so check if yours does. If they do - ask them about setting up the Apache mod_security. This will block “bad” requests. I mention it is for the tech savvy because there is some tweaking required to make sure you allow all the ”good” requests - like updating your blog. Your hosting support will help you with all of this.

Above are just some of the guidelines on how to secure your website, and it certainly isn’t an all encompassing list. These are just the bare minimums that anyone can usually do, no matter level of tech knowledge or what type of hosting you have.

You can never reach 100% security, but this list will help you avoid the most common and simplest of hacks. The most important step of course is - back up your website! If the worst case scenario hits, you will be happy you did!

No comments: