How to Make Your Site More Secure in 2014

With New Year’s resolutions still on everyone’s minds, it’s a good time to talk about adding one to improve your website security this year. Cybercrime is at an all-time high, and it’s not just large retailers or government offices that are the targets – an incredible 90% of US businesses have been victims of some sort of online hack.

Although rigorous backing up of your site files and data is essential, many other techniques exist for securing your site to guard against attacks so you don’t suffer downtime and lost income. In this article, we’ll go through some important tips for securing a new or existing website.

Use scripts and web apps from known sources

Although this should go without saying, always be sure that any software, scripts, or web applications that you download or purchase come from known and reliable sources. Scripts developed by reliable development communities or companies usually prove to be more secure, as well as free from other types of problems.

One good way to know that you’re downloading from a reliable source is to take a look at how active the community is and review the product version release roadmap or bug fix commits. With so many scripts being developed in collaborative environments especially, much of this info is readily available. Feel free to reach out to the developers to ask them about past security issues encountered and how fast security patches were released. If they refuse to answer you or proof evasive, it may be a sign that this script has had problems.

You can also check out sites that offer security vulnerability databases, like CVE Details  to cross-check any past security issues with the applications that you intend to use.

 Apply updates and security patches in a timely manner

Although it’s tempting to ignore the seemingly endless notices and emails you receive regarding security updates and patches, never defer/delay implementing such items whenever they are available. Many updates of actual software also include security aspects, so don’t assume that just because an update isn’t identified as a security issue that it doesn’t contain some related improvements.

If the script developer offers a mailing list for notification of security patches and other updates, sign up for them and keep your email address current.

If the application that you are using supports automatic updates, then enable it, but do so with caution. In particular, if you have had any custom edits done to the script, it is wise to upgrade manually after doing a proper backup. This is a common problem with WordPress users who purchase themes and neglect to install and make edits to the child theme only – when they update WordPress to a new version, all custom edits are likely to disappear.

Use a reliable hosting provider

Keep in mind that a security attack may not originate from a web application you are using. Your web hosting company might have a security hole in its server software or a problem on another client’s site may impact yours. This is very commonplace in shared hosting environments.

Always do some research before choosing a hosting provider. This being said, not all shared hosting accounts are prone to security attacks – hosting accounts from reliable providers tend to be more secure.

And about those backups. While most hosting companies offer regular backups, these are intended more for the hosting company so that they can restore your site in the event of a server outage or hardware failure. It is your responsibility to put together a backup mechanism in place that will work for your own purposes. In the case of an attack on your web host, you may not have access to the backup files that the host offers if you cannot log into your account, so another option is vital.

Several backup solutions exist for you to back up your site:

Manual – downloading a copy of your files to your own computer via FTP is a popular option, but it takes time and requires you to keep the file backups organized. The biggest drawback is the need to remember to do this regularly, however. If you do choose this route, don’t forget to back up the databases on your server as well as your site files.

cPanel – if your host has cPanel, you can create a full backup that way, but be sure to download to your own computer anyway, since an attack on your host could compromise those cPanel backups on your server.

Cloud – the current popularity of storage on the cloud is also perfect for backups. Many companies offer cloud storage and even some of the free ones (like DropBox) may have enough space for backups of a smaller site. Backup Buddy is a WordPress plugin that backs up to the popular Amazon S3. If you have a second Linus server, to save time, use a tool like Rsync, which only transfers files for a backup that have changed.

Finally, there are automated backup services that will either backup the entire site each time you schedule one or just the changed files. Examples are Backup Machine and Dropmysite. The related service Codeguard also offers notification if files are changed so that you can watch for unauthorized access to your site files.

Use a malware monitoring service

To help identify situations where your website files or database have been compromised, it’s recommended that you consider using a service such as Sucuri. Sucuri, and similar services, monitor your site in real-time and notify you whenever your site is blacklisted by Google Safe Browsing, Norton Safe Web or Phish Tank. It also lets you know whether malware, malicious JavaScript, or malicious iFrames have been detected. Sucuri offers a free scan of websites in addition to paid monitoring.

Use a monitoring application to identify changes to files and databases

Even with regular backups, you need to know if someone has defeated your security and made changes to files or databases that your website relies on. To accomplish this, use a tool such as FileWatch, which monitors any type of files as often as you wish and notifies you if files have been changed or new ones have been created. The database version is Database Watch. Using these types of scripts lets you get a jump on any unauthorized change to your website.

Ensure desktop security

Don’t forget the security of your desktop along the way. Since website files are undoubtedly at some point on your desktop, or you use FTP to transfer files, you need to ensure that your desktop is secure.

Given that FTP is the most-common way for you to access and modify your hosted website files, regularly check that your desktop computer is free from viruses and malware. Very often, viruses will sit and monitor FTP connections  and pass the login credentials to hackers. If your host offers sFTP or other secure methods to access your hosted files, choose one of those options.

Conclusion

A few simple changes to the way you organize your website files and backup operations, combined with implementation of the guidelines explored above, can go a long way toward securing your site from hackers. There is no perfect solution, but if you make improving your website security one of this year’s resolutions, you’ll be able to reduce your risk and also make recovery from any breach that affects your hosting solution much easier and quicker – all of which will help you get back to business!