Having your website hacked is a sickening experience, particularly when it threatens your reputation and loses you business. As well as affecting your own files, compromised sites can pass on malware and viruses, spread spam and infect other people’s websites, so it’s imperative that you keep your websites as secure as possible. Here are ten tips to help you on your way to fighting attacks.
1. Avoid installing plugins, add-ons and themes from third party websites
Go directly to the original author’s website or an official source (such as the WordPress Plugin Directory) to download themes, add-ons and other extras for your website. Many third party sites – even some that rank highly in Google and other search engines – have manipulated the code of other people’s themes and plugins to include vulnerabilities. Once you’ve installed them on your website, hackers can then exploit them at their leisure.
Don’t assume that a resource is safe just because you’ve seen someone else using it. Even if you’ve downloaded it from the same source, theirs may just not have been targeted yet.
2. Keep up to date with the latest vulnerabilities
Keeping an eye on tech news sites helps, as well as following key news blogs relating to specific software (for example WordPress). Many open source scripts will have updates on their own websites or admin dashboards to keep you in the loop.
A good background knowledge gives you an idea of what to check for and what to avoid. For example, the vulnerable timthumb.php continues to be a target for hackers, yet many WordPress users don’t even know they have it installed (for image manipulation) within plugins or themes they have activated.
Even if patched, scripts that are known to be vulnerable are best avoided as the attention often means they become even more of a target.
3. Register for new releases
WordPress handily tells you when plugins, themes and the install itself are due for updates via the admin panel, but not all software does. Investigate how all the software you have installed tell you about upgrades and bugs; for example, for Zen Cart you can subscribe to a thread on their support forums.
4. Keep your software up to date…
One of the easiest and most common ways hackers can get access to your website is through an outdated script. Keeping everything up to date is an essential part of running a website. Many people have websites they lost interest in months or even years ago, but the old scripts and data remain there, posing a potential threat.
5. …but don’t rush to be an early user
Brand new releases often have bugs and flaws that need patching. Before upgrading to a completely new release, have a search to see if any security issues have been found yet. If older versions are still fully patched and supported, it’s worth waiting until the security/bug release has been made live.
Avoid installing beta versions where possible, and avoid upgrading to new beta versions of software from your existing website. Test beforehand on a fresh website, and remember to delete everything once you’ve finished and store it locally if necessary.
6. Make a list
Make a complete list of what you’ve got installed and the version for each of your websites (depending on the number of websites and scripts you have, it may be easier to list the URLs under version headings). If you’re working as part of a team, keep it as a central spreadsheet in Dropbox or Google Docs so everyone can access it. It’s worth setting reminders in your calendar to check for updates or to prompt upgrades.
7. Don’t advertise
Remember the TV advert showing people leaving their valuables in plain sight and within easy reach of burglars? There’s an online equivalent.
Avoid public mentions of what plugins you’ve got installed and which versions of software you’re running, both on social media and on your websites. Where possible, check plugins and add-ons to make sure they aren’t including a footprint of information about themselves on your site.
8. Keep backups
Always keep multiple backups of your websites’ files and folders, and update them regularly. If your website is exploited you can then upload a clean copy of files and folders without the hassle of cleaning your site yourself. Keep copies of your backups in multiple locations, for example on an external hard drive, on your computer’s hard drive and via online storage facilities such as Dropbox.
As a Heart Internet web hosting customer you can download a backup of your site from eXtend. If you have a VPS or dedicated server with us, you can take advantage of our backup service directly from your control panel. Resellers can also back up their customers’ websites or allow them to make their own backups by activating the feature in eXtend.
9. Install trusted security plugins/add-ons
These work in a variety of different ways, including helping you block bad queries, assess how secure your website is, check for specific vulnerabilities and much more. As in our first tip, make sure you download plugins from an official source, and make sure you adjust any required settings before using.
10. Be proactive with StopTheHacker
StopTheHacker is a health monitoring service designed to keep an eye on your sites and your customers’ sites. Rather than you having to guess if something is wrong or spend hours trawling through files, StopTheHacker highlights any areas of concern for your website so you can take action. Best of all, you don’t need to manage software updates or worry about installing and running programs – it’s all taken care of and you can simply view the results from your Heart Internet control panel.
What are your best security tips? Let us know in the comments!