Blog

10 tips for a more secure website

Russian state hackers have recently dominated the headlines so it’s as good a time as any to talk about website security.

Websites are hacked to steal data which can be used to bribe a company, take websites down or to purposely breach security. However smaller company sites are also often hacked to add in back links to improve another companies presence on search engines (usually pharmaceuticals, fake branded goods etc). Brute force hacking is the most common – an application-based form of relentlessly trying to decode data such as usernameas and passwords, often guessing thousands of times per second. This is particularly dangerous for sites built with a CMS such as WordPress, Drupal, Joomla where a username and password is required to log into the back end of the site.

To help we’ve listed 10 tips to help make your website more secure. We’ve mainly referenced WordPress websites as this is our CMS of choice, however most of these tips can be applied across other content management systems.

1. SSL and HTTPS

An SSL certificate is a data file that, when installed, allows secure connections from a web server to a browser. Previously only used on sites that handled sensitive data it’s now becoming the norm. You need an SSL certificate on your website to keep data secure between servers. Once you have an SSL certificate the application protocol will change to HTTPS. We’re used to seeing https when we buy things online, as it’s usually applied to sites that keep credit card and customer login details, as a protocol to provide internet security – guaranteeing that no one can see the content the user is sending over the internet. Google has now announced that using HTTPS on a site is an SEO benefit and since January 2017 sites only using HTTP will be considered insecure and carry a warning. If you haven’t already it’s time to upgrade to HTTPS.

2. Keep all software plugins up to date

This applies to both your CMS software (you can often set this to backup automatically) and plugins you have installed on your website. Hackers can quickly find holes in software and exploit these – so using an up to date version of your plugins will ensure these security holes have already been plugged in the next version. Most content management systems notify you of available system updates when you log in to the back end so you don’t have to search for an available update. You can also set plugins and themes to update automatically by inserting a bit of code into wp-config.php – find out how to do this here.

3. Deleting (not just deactivating) unused plugins

As with the above getting rid of any plugins you’re not using – usually older versions – will ensure any gateways to your system’s admin are closed. Too many plugins will also slow your site down so that’s one more reason to delete the things you can live without.

4. Keeping your server operating system up to date (check with hosting company)

Check with your hosting company that they apply regular security updates. If you have a WordPress site then find a hosting company that has a service dedicated to WordPress – this way they’ll usually have firewalls, regular malware scanning and up to date PHP and MySQL.

5. Security plugins

Try using security plugins such as Wordfence for WordPress. Their free versions offer the ability to blacklist IP addresses, block bot traffic and perform regular security scans.

6. Secure passwords

It’s surprising how many people use basic passwords to access the admin side of their website. Passwords should always be random letters and numbers with no fewer than 10 characters to ensure they’re secure, but these should also be changed regularly. In addition to secure passwords you should set up a new username rather than the default ‘admin’.

7. Hidden login page

However renaming or changing the location of the login URL is a great way of making attacks much harder for the hacker. If your login page is at /wp-admin or /wp-login.php then change it to something only you will know. HidemyWP is a WordPress plugin that can hide WordPress script in addition to disguising the login page. Drupal also has the Login Disable module that’s available to download.

8. Two step verification

This adds an extra layer of security to your site login. Usually you’d sign in using your username and passwords and then a code is sent to the phone number you type in. Plugins such as WordPress’ Jetpack, Google authenticator or Clef can do this for you.

9. Take regular backups

Ensure you take regular backups of your content and database. If something happens to your site you can use the backup to recover your files, similarly if the database becomes corrupted you’re covered. You can do this by using one of the many backup plugins or modules available.

10. Finally this may seem self-explanatory but make sure your computer is up to date

By installing the latest antivirus software and regularly scanning your computer for viruses or malware you’ll ensure any security vulnerabilities on your computer are removed.