Protecting Your Website(s)
Big aspect of web security, is securing your own websites. This is especially important to people who work online (like online marketers), but it is also important for the hobbyist. Basically, anyone who has a website should take some basic precautions to ensure security. This section will share some tips on how best to do that.
Password Creation & Management
Password creation and management is one of the first things you should consider when thinking about web security. Everything you do on the internet, including accessing it in most cases, will require a password. This is the very base of your pyramid of web security.
Knowing how to properly create and manage strong passwords is the perfect place to start the security discussion. Just putting this chapter’s tips into practice gives you a heads up on the vast majority of web users out there.
The following steps will ensure you create great passwords:
1. Avoid The Obvious – The first thing you have to do is avoid the obvious. Do not use anything like your name, birthdate or even any of your interests. Remember, not all hacks come from some mysterious stranger overseas. A lot of problems can arise, right in your own house – from friends, roommates, parents or children. Don’t choose something that someone could guess!
You will also want to avoid the common passwords that every noob uses. That might be a bit harsh but if you use something off of the top ten most used passwords list (shown below – courtesy of Huffington Post) then you are a noob!
rockyou (name of the site these pws were hacked from)
So as you can see – avoid the numbers in order, avoid the name of the website you are using and the actual term password. Not shown, but equally bad – using “admin”, copying your username or leaving it blank!
2. In Fact Don’t Even Use a Word – No matter how clever you think you are don’t even choose a word – English or foreign. Any word that can be found in the dictionary can be cracked using a brute force attack. If you insist on using a word then make sure you connect more than one word with numbers and symbols (more on that below). If you choose a single word that is in the dictionary (any languages) you are wide open for a hack.
3. Sorry, Size Matters – I know it is easier to remember 5 digits than 9, but guess what? Size counts! If you chose a random string of 6 lowercase letters (or worse a 6 letter word) it would take 10 minutes for a hacker to use a brute force attack to figure that password out. Ten minutes to test every possible combination of letters. To avoid this, or at least severely lengthen the time it takes, make sure your password is longer than 6 characters. I would say try to aim for 9 or more characters. Might seem like a lot to remember, but a phone number with area code is ten digits, and we all have many of those memorized. If you have a password 9 characters in length – it will take the same program about 4 months! And that is before we add variety…
4. Mix Up Characters – To maximize your password’s security you need to mix up your characters. This means you need to add symbols (%@#), numbers and mix up the case of your letters (capitals and lower case). The best passwords will have all different types of characters. Remember the time it would take to crack passwords mentioned above? Well if you have a password that is 9 characters in length, has upper and lowercase letters, plus symbols and numbers – it would take 44 530 years to hack that password!
If you keep those 4 very simple points in mind, then you will create great passwords that are virtually “unhackable”. Creating passwords and managingthem though are two different things. Following this blurb are some points you need to consider about HOW to use these great passwords.
1. Have More Than One – This is probably the single most important password management tip. Don’t use the same password everywhere on the web. If you do, you highly increase the chance of having it compromised. If someone is able to glean your password on one site they may be able to put 2 and 2 together, and access other accounts you own. Some of these accounts could be really important. Memorizing a new password every site is hard (impossible?), but you should have at least 3 strong passwords that you use for different things. You can break down your passwords into 3 categories:
A Level – These are passwords that are super important, and direct access to them could directly lead to financial trouble. (i.e. Online Banking or Paypal)
B Level – These passwords are also important, and while getting hacked could cause trouble, the hacker won’t be able to clear a bank account, or run up credit. (i.e. eMail, Twitter or Facpostpost)
C Level – These passwords are for random free accounts online. (i.e.Message Board, Blog Comments or Fantasy Sports)
If you are going to try to go with just several different online passwords, try not to mix them up between categories. You can also make your own categories if you want. For example, for those people who work online, an FTP or Hosting password, could very well be an A-Level. Use your own common sense when deciding which category a password would fit in.
2. Change Password if Compromised – If you ever have your password compromised – then you need to change it ASAP. This seems like it isn’t worth stating, but I have seen it far too much. Not only do you have to change the compromised password, you also have to change all of the other accounts tied to that password. That might seem like overkill, but it is the most basic step to take if you have a password hacked. You should not avoid this, no matter how annoying it may be to change all of those passwords. This is yet another reason to make sure you don’t just use one password!
3. Don’t Be Afraid to Use Software – For people who have a whole bunch of passwords, you can consider using software for password management. This is especially helpful for people who work online, we sign up for so many accounts, that remembering passwords can be tricky! There is paid software that can help you out. Roboform is the first that pops into my mind. I have never used it but it seems popular. The reason I have never used it is because I found KeePass, a free password management tool that works on any operating system.
Keepass will keep all of your passwords for all of your sites. You have to manually enter the info but once it is in there, it is kept in it’s own encrypted file. Another great feature is that KeePass will create passwords for you. Of course, they will offer the chance to enter the number of characters you want, and will include numbers and symbols as well.
If you follow these three tips, your passwords will be managed about as well as they can be. Remember, even if you haven’t been compromised, you should still consider changing your password every 6 months or so. This might seem like a hassle, but it will help ensure your online safety.
How to Properly Back Up Your Website
Before we even discuss how to secure your website we have to talk about backing it up.
While this may not seem like a “security” step, it is probably the single most important step you can take to ensure your website is safe. Your website will always be somewhat susceptible to a “worst case scenario”. Having a recent backup is the only way to 100% ensure you can restore your website.
Whatever you work on, it is standard to create a back up file. This is beneficial in case something inevitable happens. Even though creating a backup means additional work for you, you will be truly grateful if you ever have the need to use it.
Backing Up Your Website:
Check With Your Host: The first thing you should do is figure out how your host handles website backups. Check and find out how often they do automatic backups. You can find this info on their website, you can call them or you can use the live chat support many web hosts have.
Some premium hosting packages may handle backups for you. You can still backup yourself to be doubly sure though.
Copy Your Files: A simple step you can take is to back up all of your website files. The easiest way to do this is to access your site via FTP and then download the entire public_html folder of your website.
You can download it to your computer and save it there. You can also upload it to some cloud storage (like Dropbox) for another layer of protection, and even store it on DVD or an external hard drive for a third layer of ultimate protection.
Copy Database: If you use a database for anything you will want to download and save that as well. The good news – that this file is usually pretty small and it is a quick download. If you are wondering if you have a database or not, remember any CMS type of web platform (like WordPress) will use a database.
With most hosting packages (not all) you will have some kind of control panel to manage your sites. The most commonly used is cPanel. In cPanel there will be a backup application that will allow you to back up your website database with a click or two.
If you don’t have a control panel, contact your web host and ask them about backing up MySQL databases.
Export: This step is for people who use CMS/Blogging platforms for their websites. Since WordPress (and similar) programs are so popular, it is worth a mention. This exporting step is also helpful for those people who host their site on a free host like WordPress.com or Blogger.
When you are logged into the back office of one of these platforms, you can usually find a an export function. For WordPress this is under Tools. Use the export function to create a copy of all of your posts, pages, categories and comments. Save this file in whatever way you want. In most cases you will get an .XML file.
The above steps will ensure that you have properly backed up your website, and you will be able to restore it if anything bad happens. There are only two other things to consider: Where to Save & How Often
As for where to save – we have mentioned it above. You will want to save your site, database, etc… to your computer for sure. You will also want to make sure you save it at least one more place. The popular choice these days is some sort of cloud storage. This will mean your website backup is secure, and it will be available no matter where you are.
When it comes to how often, that is really up to you and how often you update your website. If you have a fairly static website that doesn’t change often, then you probably don’t have to back up too often. I would definitely backup after every major change to the site though.
If you have a site that is updated regularly – like a blog for example – then you should be updating regularly and often. Just think about it like this: “How much would I lose if my website went down today?”. If you are going to lose enough content to worry you, then it is time to back up.
The good news is there are many third party programs and applications out there that can help you with backups. In fact some of these backup solutions will allow you to set them up and they will run automatically. There is a world of choices out there but here are just a few:
WP -> Dropbox Plugin: This simple WordPress plugin will backup your WordPress installation to DropBox at a specified frequency.
BackupMachine: Backup machine offers free backups, as well as a premium service that will back up your website and database daily.
DropMySite: This is a very simple, bare bones program that will automatically backup your site, email and databases into cloud storage.
Basic Guide to Website Security Best Practices
This chapter will give you a brief introduction to website security. For most people this will be enough info to keep your site secure from common attacks.
Every online user wants to have a secured time in online while browsing the web. Whether you own a website or you are just a visitor, you should definitely demand safety. As a business owner, you want to make your customers feel safe when visiting your site.
Nothing can kill your online credibility quicker than someone coming to your site and getting infected with malware, or seeing your site is hacked. If you want to take the basic steps that every webmaster should then follow the steps below:
1. Backup – See previous section.
2. Assess Third Party Vulnerabilities – If you are using any third party website platforms (WordPress, Joomla, etc…), plugins, themes or other software, then make sure you assess their vulnerabilities. Any of these programs can be a weakness thru which hackers can attack. To limit your vulnerabilities make sure you have the latest stable version of any software or scripts you use on your website.
3. Choose Good Login Names – We talked about passwords in an earlier chapter, but one thing people do online that is super frustrating, is ignore their login name. The login name is another area where you can throw in some variety to stifle potential hackers. Whether it is a log in name for your FTP, your database or a WordPress installation make sure you don’t just stick with the default, something like “admin” is a bad choice. Don’t just hand a hacker your login name by using one of those defaults. Make them figure out your password AND login name if they want to hack you.
4. Choose Good Passwords – The first chapter here explains all you need to know about passwords. The same rules for protecting your home computer, apply here.
5. Encrypt Your Database – Make sure you use some sort of encryption for any passwords that are in a database. If you use WordPress it encrypts passwords in your database automatically. The downside is, if you forget your password and look for it in the database you will only see an encrypted mess. The good news is, so will anyone trying to find your password.
6. Turn Off Directory Listings – By default the directories on your site that don’t have an index.htm in them, like say an image directory, will display a list of all files in that folder if someone stumbles across it. You might not want people seeing a list of your directory contents. To avoid this, simply throw a blank index.htm into the directory.
7. Access Your Site From Secure Computer – We talked about securing your computer in the first section of this guide. Make sure you access the back-end your website from a computer that is properly secured. You also want to make sure you only access your website on secure connections. Don’t FTP into your website at the local Starbucks.
8. Apache: Mod_Security: This is a step for the tech savvy. First thing to consider is some hosts won’t support this, so check if yours does. If they do – ask them about setting up the Apache mod_security. This will block “bad” requests. I mention it is for the tech savvy because there is some tweaking required to make sure you allow all the ”good” requests – like updating your blog. Your hosting support will help you with all of this. Above are just some of the guidelines on how to secure your website, and it certainly isn’t an all encompassing list. These are just the bare minimums that anyone can usually do, no matter level of tech knowledge or what type of hosting you have.
You can never reach 100% security, but this list will help you avoid the most common and simplest of hacks. The most important step of course is – back up your website! If the worst case scenario hits, you will be happy you did!
Securing Your WordPress Site With Plugins
WordPress is one of the most popular website platforms available today. What once was only powering blogs, is now one of the most flexible website platforms period. In fact it is estimated that 22% of new websites are built with WordPress. If you work online, you almost assuredly have used WordPress in some fashion.
One of the things about WordPress is that it is Open Source software, so anyone can get and view all of the code. The bad news – hackers can scour the code for vulnerabilities. The good news – 100s of really smart people are scouring the same code to find and fix those vulnerabilities first. More good news is that people create plugins that help you secure your WordPress website more thoroughly.
This chapter will look at some of the plugins you can use, to give your WordPress website an extra layer of protection:
WP Security Scan – This plugin will scan your system and find potential vulnerabilities. It will then suggest fixes. It scans things like passwords, file permissions and database security.
AdminSSL – This plugin will force any of your pages that require an email, to be secure (https://) pages. Remember though, you need to have an private SSL certificate already installed on your website for this plugin to work.
TAC – Theme Authenticity Checker – This plugin will monitor any installed themes you have for malicious code. One thing that hackers and black-hat marketers do is offer free WordPress themes that include malicious code. This plugin will avoid that.
Login Lockdown – This plugin will monitor the IP addresses of anyone trying to login to your site, if it records a certain amount of failed attempts in a certain time frame, it will lock that IP address down. This helps avoid automated brute force attacks.
Hide Login – Hide Login will allow you to move your login page to an URL that is easier to remember and/or cryptic enough someone can’t guess it. This alone won’t secure your blog completely, but if someone does manage to hack your password, they may be stymied by not being able to find your login page.
BulletProof Security -From the WordPress Plugin Description: The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website. The BulletProof Security WordPress plugin is a one click security solution that creates, copies, renames, moves or writes to the provided BulletProof Security .htaccess master files. BulletProof Security protects both your Root website folder and wp-admin folder with .htaccess website security protection, as well as providing additional website security protection.
Akismet – The classic WordPress comment plugin. It comes with WordPress installations for a reason – it works and it is important. Activating this simple plugin will dramatically reduce the crappy SPAM comments you receive. Well it won’t reduce them, but it will handle them so you don’t have to.
Antivirus – This plugin will monitor your WordPress site for malware, exploits and spam injection. Its runs daily.
BackupCreator (PAID) – This premium (paid) plugin is the perfect backup solution for your WordPress blog. It will allow you to easily backup and restore your entire WordPress installation.
These plugins won’t make your site impenetrable but it will make it much harder to successfully attack. WordPress is a powerful website platform, but it can be vulnerable to attack – use these plugins to eliminate those vulnerabilities.
Web and website security has never been more important. Malicious software, spyware, viruses and SPAM are proliferating at all time highs and more people are getting infected or hacked because of it.
In order to be safe, you need to be proactive – not reactive. This guide will help you become proactive. Making sure you address vulnerabilities before they are exploited, installing the proper security measures and creating backups for anything important are all proactive steps.
No guide in the world will make your bullet proof when it comes to online attacks. If you follow this guide though, your computer, websites and personal information will be many times more secure and will avoid most of the sloppy and automated hacking attempts that are so popular these days.
Don’t become another online attack statistic. Read the information, re-read it-and then put the suggestions into place.