Web Hosting Blog

10 must read tips for optimal website security

17/04/2012

Having your website hacked is a sickening experience, particularly when it threatens your reputation and loses you business. As well as affecting your own files, compromised sites can pass on malware and viruses, spread spam and infect other people’s websites, so it’s imperative that you keep your websites as secure as possible. Here are ten tips to help you on your way to fighting attacks.

1. Avoid installing plugins, add-ons and themes from third party websites

Go directly to the original author’s website or an official source (such as the WordPress Plugin Directory) to download themes, add-ons and other extras for your website. Many third party sites – even some that rank highly in Google and other search engines - have manipulated the code of other people’s themes and plugins to include vulnerabilities. Once you’ve installed them on your website, hackers can then exploit them at their leisure.

Don’t assume that a resource is safe just because you’ve seen someone else using it. Even if you’ve downloaded it from the same source, theirs may just not have been targeted yet.

2. Keep up to date with the latest vulnerabilities

Keeping an eye on tech news sites helps, as well as following key news blogs relating to specific software (for example WordPress). Many open source scripts will have updates on their own websites or admin dashboards to keep you in the loop.

A good background knowledge gives you an idea of what to check for and what to avoid. For example, the vulnerable timthumb.php continues to be a target for hackers, yet many WordPress users don’t even know they have it installed (for image manipulation) within plugins or themes they have activated.

Even if patched, scripts that are known to be vulnerable are best avoided as the attention often means they become even more of a target.

3. Register for new releases

WordPress handily tells you when plugins, themes and the install itself are due for updates via the admin panel, but not all software does. Investigate how all the software you have installed tell you about upgrades and bugs; for example, for Zen Cart you can subscribe to a thread on their support forums.

4. Keep your software up to date…

One of the easiest and most common ways hackers can get access to your website is through an outdated script. Keeping everything up to date is an essential part of running a website. Many people have websites they lost interest in months or even years ago, but the old scripts and data remain there, posing a potential threat.

5. …but don’t rush to be an early user

Brand new releases often have bugs and flaws that need patching. Before upgrading to a completely new release, have a search to see if any security issues have been found yet. If older versions are still fully patched and supported, it’s worth waiting until the security/bug release has been made live.

Avoid installing beta versions where possible, and avoid upgrading to new beta versions of software from your existing website. Test beforehand on a fresh website, and remember to delete everything once you’ve finished and store it locally if necessary.

6. Make a list

Make a complete list of what you’ve got installed and the version for each of your websites (depending on the number of websites and scripts you have, it may be easier to list the URLs under version headings). If you’re working as part of a team, keep it as a central spreadsheet in Dropbox or Google Docs so everyone can access it. It’s worth setting reminders in your calendar to check for updates or to prompt upgrades.

7. Don’t advertise

Remember the TV advert showing people leaving their valuables in plain sight and within easy reach of burglars? There’s an online equivalent.

Avoid public mentions of what plugins you’ve got installed and which versions of software you’re running, both on social media and on your websites. Where possible, check plugins and add-ons to make sure they aren’t including a footprint of information about themselves on your site.

8. Keep backups

Always keep multiple backups of your websites’ files and folders, and update them regularly. If your website is exploited you can then upload a clean copy of files and folders without the hassle of cleaning your site yourself. Keep copies of your backups in multiple locations, for example on an external hard drive, on your computer’s hard drive and via online storage facilities such as Dropbox.

As a Heart Internet web hosting customer you can download a backup of your site from eXtend. If you have a VPS or dedicated server with us, you can take advantage of our backup service directly from your control panel. Resellers can also back up their customers’ websites or allow them to make their own backups by activating the feature in eXtend.

Heart Internet resellers can back up their customers’ sites from the RCC.

9. Install trusted security plugins/add-ons

These work in a variety of different ways, including helping you block bad queries, assess how secure your website is, check for specific vulnerabilities and much more. As in our first tip, make sure you download plugins from an official source, and make sure you adjust any required settings before using.

10. Be proactive with StopTheHacker

StopTheHacker is a health monitoring service designed to keep an eye on your sites and your customers’ sites. Rather than you having to guess if something is wrong or spend hours trawling through files, StopTheHacker highlights any areas of concern for your website so you can take action. Best of all, you don’t need to manage software updates or worry about installing and running programs - it’s all taken care of and you can simply view the results from your Heart Internet control panel.

Find out more about StopTheHacker website health monitoring, or if you’re a reseller hosting customer, you can resell StopTheHacker or offer it free of charge to your customers.

StopTheHacker highlights specific areas and files of concern for you.

A clean site gives you peace of mind.

What are your best security tips? Let us know in the comments!

 

Was this article useful? Let others know

(No ratings have been submitted for this entry yet)

Comments

Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!

{author}

 

  • Tom Allen
      25 April 2012 at 14:14

    *sigh*

    Terrible.

    You can’t call an article “10 must read tips” and then have 8 out of them 10 PURELY for wordpress, one of them telling us to backup and the last one saying to install (and presumably purchase) your software.

    How about 10 actually helpful tips developers often overlook like making your forms SQL Injection proof or keeping include files as .php and not .inc or .bac for example. How about disabling certain types of files to be uploaded through forms or setting correct permissions in website folders?

    Tom Allen  
  •   25 April 2012 at 15:30

    Hi Tom,

    The tips apply to all CMS systems (particularly open source ones), which is what the majority of our customers’ sites are based on. They also tend to be the most vulnerable types of websites, which is why the article is based around them. None of the ten are specifically about WordPress although it’s used as an example a couple of times as it’s by far the most commonly used.

    It’s intended for an average customer to help keep their sites secure rather than as advice for advanced users. It’s something we can address in a later post in our security series if there is demand for it; we tend to assume that more technical users know more about the security implications of what they do but it could be useful to address. We are more than happy to accept guest posts if it’s something you’d be interested in writing yourself.

    Jenni  
  • Murray Cowell from Belmont Mail
      30 May 2012 at 10:31

    Well said Jenni - this is excellent advice for the average, non-technical user. Whilst those of us who build websites might know these things, and more technical security measures, most users don’t. You are providing an excellent service by pointing these things out.

    Murray Cowell from Belmont Mail  
  •   30 May 2012 at 10:47

    Very kind Murray, thanks!

    Jenni  

  {author}

 

  Live chat