How secure do you think your website is? Chances are it can use more security. If you take your website seriously, here are some tips which will help you make it more secure than it already is.
Use Better Passwords!
Almost everyone knows that they should use complex passwords for their websites or hosting control panels but most never use them. Not only is it important that you use complex passwords yourself but it is also important that you insist that your users make use of complex passwords as well – if you’re running a website that offers subscriptions or user signups.
A combination of upper and lower case letters, numbers and special characters in passwords is essential. Equally important is the length of the password. A good password should have upper/lower-case letters, numbers, special characters and be at least 9 – 12 characters in length. As much as you or your users wouldn’t like them, they are crucial for your website security. A good example would be: ” Ps^rfx7GL9%F “.
If your application / website stores passwords online, make sure they are never stored in clear text. They should always be encrypted. If encrypted, the only way to steal a password would be through continually guessing at the password or in other words, a “Brute Force” / dictionary attack. It is also good practice to make sure that your website / application locks an account for a set number of minutes after some consecutive unsuccessful tries. This would help thwart Brute Force attacks.
Thankfully, many content management systems already have this feature built in, although some configuration or extra modules might be required. You can, for instance, download and install Brute Protect for use with WordPress.
Much like passwords, username should never be generic or ‘guessable’. Many applications offer default usernames based on certain criteria. The username ‘admin’ is a very popular username for administrative access on many content management systems and custom applications. Needless to say, it is also the very first username a malicious user would attempt to guess the password for. Generic usernames should, therefore, be avoided where possible. For CMS systems like Joomla, WordPress and Drupal etc. I always suggest that people use difficult to guess usernames particularly for administrative access. Much like passwords, it is always a good idea to make your usernames non-dictionary words with at least one numeric character included.
Login Error Messages
Error messages that show up whenever there is a failed login attempt can be insecure also. A vague error message telling you only that the information entered was incorrect is hugely preferred over an error message that tells you exactly which part of the login information entered was incorrect. Example; I would prefer an error message that read “Could not log you in. The information entered was incorrect.” over an error message that reads “The Username entered was not found.” or “The Password entered was incorrect.“.
The reasoning behind this is very simple. If an attacker knows exactly which part of the login information was incorrect, it makes their job that much easier. If an attacker knows that the username entered does not exist, this tells them that they might have better luck trying passwords for a different username. If they were told that the password was incorrect, they know that at least one part of the information they provided – the username – was correct and they can then keep trying different passwords for that username.
Update your Web Applications Regularly
One of the simplest ways to secure your website is to keep any applications you use on your website or any software that you use to build/update your website up to date. If, for instance, you use a CMS on your website, keeping it up to date with the latest version release will make your website just secure enough for attackers to loose interest and try some other website where the owner has not been as vigilant about their website security. It is also a good idea to keep your Windows (is that is what you use), FTP and web development software up to date. Doing this, helps you avoid any security flaws that might have been discovered in older versions.
Hackers/attackers sometimes distribute seemingly harmless software coupled with key-loggers, worms or other malicious software to aid them in gaining control of your computers, websites or any other service you might use through your computer. A good antivirus is, therefore, crucial to website security. A good antivirus would ensure that there are no key-loggers running on your computer and no malicious code gets appended to the files you upload to your website.
A good webhost would usually have checks in place to make sure that you cannot use insecure file permissions on your files. Particularly any file uploaded in a publicly accessible (www or public_html) folder should never be world writeable. While some applications usually recommend that you make some files world writeable (0777), with a webhost that takes security seriously, you should be able to get the same results with 0775 without the potential security risk. Such webhosts would render 500 server errors if a file with world writeable (0777) permissions is executed/accessed.
That said, you should still always check your own file permissions and if it is unavoidable to change permissions on a file to 0777, make sure it’s not a file that if changed, would cause a security breach. If unsure, always ask your webhost and they would usually be very happy to guide you.
Hosts that use Mod_Security and suPHP
Mod_Security is an Apache module that helps protect your website from various attacks. It is most commonly used by web hosts to block commonly used exploits and strengthen the security of a web server.
suPHP is a tool used to execute PHP scripts with owner file permissions. Since most PHP scripts run with the user “Nobody” this means that the control of the file is directly related to the permissions assigned to the file. Since “Nobody” is not the User or Group member you’d have to open the file permissions to 0777 for read, write, and execute for all categories. This can potentially give them access to your entire site depending on the file then modify and how it is written. This is not an ideal method and could pose a serious security risk. suPHP will stop PHP from running as “Nobody” and make it so the files can only be written by the User.
Ask – if unsure – whether or not your webhost uses Mod_Security and suPHP. This information should be readily available and should factor in your decision when choosing a web host.
If possible, opt for VPS over Shared Web Hosting
If you run a mission critical website and security is a major concern – as it rightfully should be – opt for a Virtual Private Server. VPS are inherently more secure than any shared hosting solution because they isolate your websites from others on the same server. This means that your website is not at risk if another website on the same server is compromised.
Backup, Backup and Backup!
While most web hosting companies will tell you that they take regular backups of your websites, if you read their Terms of Service carefully, you will notice that you agreed that taking regular backups of your website is YOUR responsibility! It is therefore very important to take regular backups for your website or at least as soon as you make any significant changes to it. Doing this will ensure that you’re ready to get back online as soon as there is a problem and don’t have to wait for your webhost to restore backups.
While most webhosts are quite good about backups, it is important that you keep regular backups of your website as well.
These are just some of the basic security measures one should keep in mind. Don’t be afraid to ask your webhost any security related questions that come to mind specially if you are in the market looking for a new one.
If you have a security tip that I left out, please feel free to post in the comments below.