We’ve all heard the stories about websites being attacked, hacked, breached and otherwise messed up.
Having cleaned up and rebuilt my share of hacked sites, I’ve seen the most common security mistakes time and time again.
Here are my top 5 tips for keeping your site – and your customer data – safe and secure.
1. Keep up to date
This one applies to pretty much all software on the internet, but none more so than WordPress and its plugins.
When a security vulnerability is identified in a piece of software, the developers will usually release a fix in the form of a security update.
As a website owner, you want any relevant security updates applied to your site as soon as possible, to limit your exposure to the vulnerability.
A regular maintenance plan is a good idea, because it’s easy to let things like updating software slip behind other priorities.
2. Hide behind someone bigger and tougher
One of the easiest things you can do with most websites is use a service like Cloudflare.
It stands between your website and the rest of the internet like a big, usually-invisible bouncer, automatically questioning suspicious characters or blocking them altogether.
You can also give it your own instructions, including geo-based rules to determine which countries can visit your site freely, who should be challenged with a captcha, and who is not on the guest list at all.
Anecdotally, I’ve seen geo blocks on the usual suspects reduce the automated attacks on a site by more than 80%.
It’s unfortunate for the innocent web users in those countries who will also be blocked, but if your business or organisation has a local focus, there’s no real downside to blocking completely irrelevant traffic.
3. Harden your site
‘Hardening’ is quite a broad term, but it really just means avoiding making things easy for would-be attackers.
- Restrict admin access, e.g. by IP address or using 2-factor authentication
- Don’t use obvious names like ‘admin’ for your admin accounts. Do use long, strong passwords. Even with all the great password managers available today, I still see a dismaying number of passwords along the lines of Billy08 when I’m given login credentials by clients.
- Limit login attempts
- Disable plugins and services you don’t use, like XMLRPC (legit users of that feature must be a fraction of 1%)
- Hide login pages or change their URLs. Yes, this is ‘security by obscurity’, but it’s surprisingly effective and not a bad thing to do as long as it’s not your only line of defence.
4. Maintain good records and processes
This largely comes down to maintaining good practice with your user accounts.
- Don’t share login credentials in a team if you can avoid it, use individual accounts.
- Have a process for provisioning and deprovisioning accounts for new and departing staff members. When someone leaves, all their accounts should be closed or blocked (another reason not to use shared accounts).
- Keep an audit trail to record actions taken on the website. Recently we had an incident where an unknown party logged in to a client’s site with one of their administrator accounts using a stolen password. The audit trail showed who logged in just before the time of the incident, and the attacker’s attempts to take over the site by removing security software (fortunately they were incompetent enough to break the site in the process, shutting themselves out before they could do much damage!).
5. Active monitoring
We discussed some passive techniques for hardening your website above, but sometimes it’s good to wield the ban hammer a little more actively.
Software like fail2ban can scan your server logs, looking at the requests coming in and matching patterns which you can define.
This lets you create rules to trigger an immediate IP ban, either after a certain number of attempts to do something, or even a single attempt to do something which no legit user should.
You can do something similar using Cloudflare’s page rules too.
For example, I have a site where any of the following events will result in an instant ban for the offending IP address:
- Trying to log in with the username “admin” or “administrator”
- Requesting any URL with “adminer.php” or “/phpmyadmin/” (two popular database management tools which are often left unmaintained or poorly-secured on servers)
- Requesting any PHP file within /wp-content/uploads/ (there ought not to be any)
- Requesting any file with the extension .aspx (there ought not to be any)
As the old saying goes, “28g of prevention is worth 453g of cure“, or something like that.
A few simple one-off measures can make a big difference to your website’s security, but doing it properly means keeping up good practices over time too.
If you’d like any help or advice when it comes to securing and maintaining your site, please get in touch.