How to improve your website security in 10 steps
Today, our hosting company SuperHosting.BG launches a campaign under the code name Security! 🙂 By adding blog posts and specific guidelines on our help page we would like to achieve the best possible results together! This campaign focuses mainly on you and your websites. We rely on your questions and comments to "paint" together the whole picture of websites that are protected from external unauthorized access. Usually, we post tips under the "Support Tips", category in the end of each article. Today, we will break the pattern by mentioning the recommendation of our Tech team in the beginning: Prevention is the best protection! 🙂
Below you will find 10 important steps that we would like to take together:
- Protecting the admin panel with additional username and password
- Changing the "admin" username
- "Bad" aspect of "good" passwordsи
- Subscribing for news from CMS developers
- Regular backup
- Plugins for additional protection
- Most common reasons for security breaches on websites
- WordPress and Joomla!
- From 1 to 9… and back!
In the following section will look into the basic and most common methods for protection and security improvement of your website. It is not necessary to be a webmaster to cope with them... but if you implement them, you will surely get closer to a security master! 🙂
Speaking of your successful online presence, let us begin with the fact that Content Management Systems (CMS) are now the most popular and convenient way to get a website. You may build your website by yourself using the most user-friendly and free open-source systems – WordPress, Joomla!, Drupal, OS Commerce, e107, phpBB, etc. A web studio may also develop your website on their custom CMS. However, in this case they will take care of the security. This article aims at paying more attention to the open-source CMS, which security is mostly your concern…
Your website admin panel security can be accomplished in two ways, but they are used only if the new user registration option is disabled (as new users will not be able to access their accounts).
First option: Restricting access to the admin panel for specific IP addresses
If you would like your admin panel to be accessed from your IP address only, you will have to place the following lines in the .htaccess file, located in the directory where login script is found:
Allow from xxx.xxx.xxx.xxx
Note: You have to replace xxx.xxx.xxx.xxx with your IP address.
If you want to access the admin panel from another IP address, you should add one more line:
Second option: Protecting the admin panel with additional username and password
In this case you may use -> "Password Protect Directories“ option in cPanel.
By default, usernames having admin rights of most open-source CMS are called admin, admi1, administrator, etc. They also have identical IDs in databases…
Here it will be useful and helpful to change in the database the username name and/or the ID! It's easy, isn't it!? 🙂
The issue concerning the passwords we use not only for our website, but also for our email, bank account, Facebook, Twitter, Google, etc., has gathered head!
Does it sound familiar to you? “I will use 123456 so that I do not forget the password… it is so easy, no one will ever guess that I use it…”
But you are perfectly wrong! Worldwide statistics on people using such "difficult" passwords is mind-blowing… - there are millions, billions of them. This strongly facilitates the job of malware or persons who, being willing to access your private data, use in their first attempts
0000 и т.н...
On behalf of the whole team we advise and recommend you to pay attention to passwords!
It is a good idea to change the default password, that has been set by the system during initial CMS installation and to choose a secure, strong and more complex password.
You have to change the password for the admin panel on a regular basis. You should use strong passwords, consisting of uppercase and lowercase letters, numbers, and special characters.
Sometimes when people want to test a feature, they set easy passwords. Later on, if they forget to delete it, third parties may guess their data, which means that unauthorized persons twill be able to manage the information.
Never set easy passwords even when you are in a hurry or would like to only create a test account!
When an update/new version or a security patch is released, these news are published on the official website of the CMS.
System versions consist of main versions, e.g. 1.5, 2.5, 2.9, 3.0, 3.1, etc. and subversions, e.g. 1.5.27, 2.5.9, 2.9.1, 2.9.2, 3.0.1, 3.1.1, etc. Subversions contain source code and security fixes, which have been omitted in the main version.
It is strongly advisable to update the CMS as soon as a new subversion is released. We also recommend you when a new main version is released NOT to update immediately, but to wait for the subversion.
This is the most effective protection against malicious attempts to your website.
Of great importance is to also update the installed plugins.
We recommend you to use several backups!!! Please backup files and database of your website on regular basis. You may also use plugins to backup your your database directly in the administration panel. You may also backup in the standard way through the cPanel of your hosting account.
It will be great to adopt it as a habit just like your coffee in the morning!
Before making any changes to your website you should always ensure yourself by generating a backup. It is also strongly advisable to generate backups and store them locally on your computer once or several times a week, depending on website and content.
Of course, we are taking care of the system backups, but their aim is to backup your backup! 🙂
There are a lot of plugins for additional protection, depending on the CMS. There are applications admin URL address change, add-on for a number of unsuccessful access attempts, after which the access to the website administration panel, etc. is blocked.
Here we pay attention to the fact that when using such extensions you should keep in mind that there may be a conflict with a specific plugin, module, component or theme on your website. Before installing and enabling an extension, it is strongly advisable to backup your website!
Based on your inquiries and case studies we created 2 articles containing specific tips on how to improve the security of WordPress and Joomla! websites, which are available on our help pagе:
- Improving WordPress security
- Improving Joomla security
The aim here is to go back and start from the 1st item on your own by making the necessary changes to your website and hosting account си! 🙂