How to improve your website security in 10 steps
Today, our hosting company SuperHosting.BG launches a campaign under the code name Security! By adding blog posts and specific guidelines on our help page we would like to achieve the best possible results together! This campaign focuses mainly on you and your websites. We rely on your questions and comments to "paint" together the whole picture of websites that are protected from external unauthorized access.
Usually, we post tips under the "Support Tips", category in the end of each article. Today, we will break the pattern by mentioning the recommendation of our Tech team in the beginning: Prevention is the best protection! 🙂
Below you will find 10 important steps that we would like to take together:
- Protecting the admin panel with additional username and password
- Changing the "admin" username
- "Bad" aspect of "good" passwords
- Subscribing for news from CMS developers
- Regular backup
- Plugins for additional protection
- Most common reasons for security breaches on websites
- WordPress and Joomla
- From 1 to 9… and back!
In the following section will look into the basic and most common methods for protection and security improvement of your website. It is not necessary to be a webmaster to cope with them... but if you implement them, you will surely get closer to a security master! 🙂
Speaking of your successful online presence, let us begin with the fact that Content Management Systems (CMS) are now the most popular and convenient way to get a website. You may build your website by yourself using the most user-friendly and free open-source systems – WordPress, Joomla!, Drupal, OS Commerce, e107, phpBB, etc. A web studio may also develop your website on their custom CMS. However, in this case they will take care of the security. This article aims at paying more attention to the open-source CMS, which security is mostly your concern…
1. Protecting the admin panel with additional username and password
Your website admin panel security can be accomplished in two ways, but they are used only if the new user registration option is disabled (as new users will not be able to access their accounts).
First option: Restricting access to the admin panel for specific IP addresses
If you would like your admin panel to be accessed from your IP address only, you will have to place the following lines in the .htaccess file, located in the directory where login script is found:
Deny from All
Allow from xxx.xxx.xxx.xxx
Note: You have to replace xxx.xxx.xxx.xxx with your IP address.
If you want to access the admin panel from another IP address, you should add one more line:
Allow from xxx.xxx.xxx.xxx
Second option: Protecting the admin panel with additional username and password
In this case you may use "Password Protect Directories" option in cPanel.
2. Changing the "admin " username
By default, usernames having admin rights of most open-source CMS are called admin, admi1, administrator, etc. They also have identical IDs in databases…
3. "Bad" aspect of "good" passwords
The issue concerning the passwords we use not only for our website, but also for our email, bank account, Facebook, Twitter, Google, etc., has gathered head!
Does it sound familiar to you? "I will use 123456 so that I do not forget the password… it is so easy, no one will ever guess that I use it…"
But you are perfectly wrong! Worldwide statistics on people using such "difficult" passwords is mind-blowing… - there are millions, billions of them. This strongly facilitates the job of malware or persons who, being willing to access your private data, use in their first attempts:
0000 и etc...
On behalf of the whole team we advise and recommend you to pay attention to passwords!
It is a good idea to change the default password, that has been set by the system during initial CMS installation and to choose a secure, strong and more complex password.
Sometimes when people want to test a feature, they set easy passwords. Later on, if they forget to delete it, third parties may guess their data, which means that unauthorized persons twill be able to manage the information.
5. Subscribing for news from CMS developers
When an update/new version or a security patch is released, these news are published on the official website of the CMS.
System versions consist of main versions, e.g. 1.5, 2.5, 2.9, 3.0, 3.1, etc. and subversions, e.g. 1.5.27, 2.5.9, 2.9.1, 2.9.2, 3.0.1, 3.1.1, etc. Subversions contain source code and security fixes, which have been omitted in the main version.
It is strongly advisable to update the CMS as soon as a new subversion is released. We also recommend you when a new main version is released NOT to update immediately, but to wait for the subversion.
This is the most effective protection against malicious attempts to your website.
Of great importance is to also update the installed plugins.
It is necessary to always keep up-to-date the additional applications, you use along with your CMS.
6. Regular backup
We recommend you to use several backups!!! Please backup files and database of your website on regular basis. You may also use plugins to backup your database directly in the administration panel. You may also backup through the cPanel of your hosting account.
🔗 How to Generate a Full Backup? | Help
It will be great to adopt it as a habit just like your coffee in the morning!
Before making any changes to your website you should always ensure yourself by generating a backup. It is also strongly advisable to generate backups and store them locally on your computer once or several times a week, depending on website and content.
Of course, we are taking care of the system backups, but their aim is to backup your backup! 🙂
7. Plugins for additional protection
There are a lot of plugins for additional protection, depending on the CMS. There are applications admin URL address change, add-on for a number of unsuccessful access attempts, after which the access to the website administration panel, etc. is blocked.
Here we pay attention to the fact that when using such extensions you should keep in mind that there may be a conflict with a specific plugin, module, component or theme on your website. Before installing and enabling an extension, it is strongly advisable to backup your website!
8. Most common reasons for security breaches on websites
9. WordPress and Joomla
Based on your inquiries and case studies we created 2 articles containing specific tips on how to improve the security of WordPress and Joomla websites, which are available on our help page:
- Improving WordPress security
- Improving Joomla security
10. From 1 to 9… and back!
The aim here is to go back and start from the 1st item on your own by making the necessary changes to your website and hosting account! 🙂
We wish you luck! Your website security is mainly in your hands and we are here to help and give you the best guidance! 🙂