In today’s world, a website is an essential and, sometimes, the most important component of any business, organization, community or group. Websites range from small sites owned by individuals to large enterprise domains and e-commerce platforms dealing with sensitive customer and commercial data.
Whatever be the size of a website, security is at the core of any online platform and webmasters need to ensure the safety and availability of their site at all times.
The following list details ten simple ways to secure any website from hackers and spammers:
1. File-system permissions on the host server.
A website may be developed in HTML, PHP, .Net, Java or any other web language but, irrespective of the design, all websites have application files deployed on the web server. It is our duty to ensure that all application files are readable and writable only by the owner of the file. All other users such as group owners and general public should only have read access to the application files. A Unix or Linux file system should have the permissions set to 644 for proper security. In case of a shared hosting service, connect with the hosting provider to ensure that proper file system permissions are in place.
2. SSL certificates.
Install SSL certificates on the web server. This will ensure that all data transferred to and from the website is encrypted and cannot be easily compromised by hackers. SSL certificates are not very expensive and adds credibility to a site. It is also said to improve search engine ranking.
3. Complex long-length password.
Ensure that all user and database passwords are at least 8 characters in length or more with a mix of alphanumeric characters and symbols. Alphabets should be used in both uppercase and lowercase format. Refrain from using personal information such as date of birth, address or phone number.
4. Minimize the use of plugins and theme add-on(s) in CMS platforms.
Most CMS platforms such as WordPress and Joomla use themes, plugins and add-on(s) to enhance the functionality and look and feel of a website. It is recommended to minimize the use of plugins as much as possible. Plugins slow down a website and may also contain malicious code which may compromise your website’s security features. It is advisable to download essential plugins from trusted and official sources only rather than from third-party sites. If possible, a review of the plugin code for external references can further aid your security checks.
5. Use Google ReCaptcha, Invisible Captcha or any other Captcha service.
This will minimize brute-force attacks for sign-up/login screens and minimize or eliminate spam email from contact forms.
7. Configure the “robots.txt” file properly.
This will prevent search engines from indexing restricted or private folders containing credentials and other sensitive information.
8. Use the “.htaccess file” judiciously.
This may be used to enable a variety of security restrictions on a website. However, the changes must be reviewed by an expert or the hosting service provider so as not to hamper the normal functioning of the website.
9. Do not use common user names such as “admin” or “administrator”.
Use something unique. For example “abc_master” or “abc_admusr” sounds a bit different.
10. For CMS sites such as WordPress or Joomla, change the default login/admin url.
This can be achieved through custom code or by using a plugin and is a great way to stave off brute-force attacks.
The above listed techniques, although not fool-proof, should help to reduce hacking and spam attacks significantly on any website.