A few weeks ago, the Reporting and Analysis Centre for Information Assurance (MELANI) published its semiannual report. The report showed just how poorly Swiss websites perform in terms of security. This is reason enough to write a post discussing the most important precautions you should take to safeguard your website.
Regularly update your software!
You can’t make an omelet without breaking a few eggs. That’s why people are always discovering new security vulnerabilities which the developers of the software have to resolve with each new update. Those who fail to install software updates are therefore opening the floodgates to hackers. It is easy for cybercriminals to find vulnerable installations on the internet – the process is automatic and takes little effort to set up.
If you are using a CMS such as WordPress, Joomla or Typo3, you should ensure that the latest version is always installed on your system. Although WordPress, for example, automatically installs security updates, major version updates still require your approval (or mouse click) in the admin area of the software. Those who prefer to be on the safe side can also enable the automatic installation of major updates. The procedure for WordPress is explained here. Don’t forget to regularly update plug-ins and design themes either.
Use security tools
To perform an initial test to determine whether your website has already been hacked, you can use a tool such as Sucuri’s free „Website Malware and Security Scanner“. However, you should still take the time to monitor activity on your site. For WordPress, you can use a plug-in such as Sucuri Security or Wordfence. Both plug-ins monitor files, notify you of any necessary updates and offer additional security features – even with the free versions.
Simple yet effective: strong passwords
Let’s be honest. How difficult is it to guess your admin password for your CMS? Once a hacker gains access to the admin pages of your software, they can effectively do as they please. For this reason, selecting a strong password remains one the most basic security precautions you can take. The password should consist of letters, numbers and perhaps even one or more special characters. It also never hurts to change the password every few months. If you’re interested, we have touched on the topic of passwords several times here in previous blog posts.
Everyone talks about it, but few actually make the effort to do so. This is a risky business, since you usually only realize the value of a backup when you need it. And if you don’t have one at the right time, you’ll have got a major problem on your hands.
It is a shame, really. After all, the plug-in architecture of today’s CMS solutions makes it so easy to automatically manage those tedious backup tasks. For WordPress, there are plug-ins such as BackWPup and VaultPress. For Joomla, there is Easy Joomla Backup. All of these take care of this task and create data backups of the installations at regular intervals.
Delete idle installations or plug-ins
Every piece of code on your web server can harbor a potential security vulnerability. This is especially true for files or plug-ins that you haven’t used in a while – a lone test installation, for example. Delete them. Nothing is more irritating than when an idle installation on your server serves as a back door to hackers.
Once you’ve taken the appropriate security measures, it’s easy to keep the individual software installation up to date. And you’ll probably sleep a bit better too!
For more on the topic of security, particularly for WordPress, have a look at this post on taking WordPress security to the next level