Top Ten Tips to Hack-proof your site

Everything a Digital Marketing agency needs to know about hacking…

Intro…

SSL certificates, admin protection, password protocols, DDoS defence, educating your staff… these are just some of the advanced security features and processes we’re going to discuss to help you fortify your site against one of the industries ever increasing issues; cyber attacks.

It is a sad fact of our digital world that we are constantly having to think about our security online. 2017 has been rife with major cybersecurity breaches such as Wannacry in which ransomware was used against thousands of public utilities and large corporations. It had a devastating effect on NHS hospitals across the UK, crippling emergency rooms and causing chaos in appointment systems, leading to delayed medical procedures for many patients.

But Wannacry – and other headline-hitting hacks – are just the tip of the iceberg. The risk of hacking is all around us, and will continue to increase because of the converging of CMS platforms. So what can you do to protect yourself and your site against hacking?

Many of us use off-the shelf content management systems such as WordPress, DRUPAL and JOOMLA for our sites. Do we have any control over their security or do we have to hope that “someone” at the provider end will sort it all out for us?

Whilst CMS providers do take security very seriously and regularly issue security updates when a flaw is found, they can be vulnerable for hackers to exploit en masse. So, what measures can you take yourself to tighten your security and mitigate against a hack?

Here are our Top Ten Tips for doing just that:

Security Features

1. Find out all the security features of your CMS and host and use them effectively. For example, ensure that when setting up your site, you connect the server through SFTP or SSH which will ensure secure transfers of all files.

Do not turn on the PHP module as this can enable an outsider to hack into your site. Also take care over directory permissions: try and set these to “755” and files to “644” as this will give additional protection to the whole filesystem – directories, subdirectories, and individual files.

If you use WordPress you can install the iThemes Security plugin that offers a variety of features including checking permission settings and limiting login attempts.

Consider CloudFlare

2. Supplement the CMS and host security features with additional resources such as Cloudflare which provide the resilience and intelligence of a scalable network in order to combat the biggest and newest attacks including Distributed Denial of Service (DDoS) attacks, data breaches and malicious bot abuse.

The Importance of SSL

3. Make sure you have an SSL – Secure Socket Layer – certificate. This is invaluable in securing the Admin panel. It ensures secure data transfer between user browsers and the server, therefore making it difficult for hackers to breach that connection. Having an SSL certificate also has a positive impact on your website’s Google rankings, as Google ranks sites with SSL higher than those without it.

Protect your Admin

4. Protect your Admin URL. By default this is usually easy to find. For example if you have a WordPress site then your login page can usually be accessed easily via either wp-login.php or wp-admin added to the site’s main URL. This could enable hackers to try and brute force their way in, using endless combinations of passwords. But if you replace the login URL this will get rid of 99% of direct brute force attacks as only someone who knows the exact URL can even try to do it. You can do this via the WordPress admin dashboard.

Install Security Updates

5. We mentioned earlier that CMS providers will regularly issue security updates – but these are no use unless you then use them to update your site. As soon as a fix for one gap has been put in place another will be round the corner, so taking time to regularly update your site is really worth your while.

Passwords and Permissions

6. Change your website passwords on a regular basis, and especially when someone leaves. The more that passwords are shared around, then not changed when people move on, the more risk there is of them falling into the wrong hands. So give access permissions only to trusted users, and make sure there are procedures in place for removing access for ex-employees.

Password Protection Protocols

7. Set up protocols for employees to protect passwords. For example, stipulate password constraints – for example a minimum length and that they must contain a mix of letters, numbers and characters. Also make sure that they do.not store passwords anywhere obvious and that they do not also use the same password for other sites that may not be as secure as yours: in this case as soon as one site loses its data security, then hackers could gain entry all over the web with that one frequently used password.

2-factor Authentication

8. Consider using 2-factor authentication (2FA) at the login page. This requires the user to provide login details in two different ways: as the website owner you can decide what those two ways are. For example it may be a regular password followed by either a secret question or a secret code. If you use WordPress the Google Authenticator plugin
is very useful here.

Raise Awareness Amongst Employees

9. Social engineering: people are your weakest link. Even the most careful of employees can inadvertently let you down. A hacker may either phone your organisation offering bogus technical assistance, or phone your CMS or host provider to glean backend technical information about your site. It is essential to raise awareness in your organisation that people need constantly to be on their guard about anyone asking for information related to your site. Better safe than sorry.

Back-up, back-up, back-up!

10. In parallel with the above, you should always have a current back-up of your site in a different location, so that if the worst happens and your live site is compromised, you will be able to restore your website to a working state as soon as possible.

Lots of food for thought. The cybersecurity world is rapidly expanding and new developments are happening every day. If you follow the above steps they will offer you a good level of protection for now. But this is a topic that we will revisit on a regular basis because the nature of these problems is constantly changing therefore so must our response to them.