I hope you’ve never had the situation where you get a phone call or email saying your site’s been hacked, or your website is not responding. Or maybe you’ve had the experience of finding a huge amount of files buried on your site that you didn’t put there, and what’s worse, they’re pirated DVD files. Or perhaps you’ve received an email from someone at another website or security service stating your site is hosting a phishing site. These are stressful situations to be in and expose you to all sorts of risks and issues.
I’ve listed some common sense security guidelines for operating a website and keeping it safe, secure, and functioning. Follow these guidelines and you’ll better the odds that the above situations will not occur.
Don’t use a shared hosting account. These are the low-end, inexpensive accounts. When you setup a website, there are several components, one of which is the server that actually contains the files that make up the website. If you have any security concerns with the content of your website, then, at a minimum, you want an account that is isolated or virtual; the best scenario is your own server, with no other sites on it except yours. A word of advice here: avoid free. You get what you pay for: expect on spending $30 to $199 a month on this type of service. See below for my recommended hosting provider.
Dedicated IP Address
Do use a dedicated or unique IP address for your website(s). IP addresses are like the street address for your house. Lower-end hosting accounts may place multiple website on the same IP address. This saves IP addresses; however, it exposes you to sharing the neighborhood so to speak. It also limits using access lists on the firewall to limit access to specific IP addresses. Now, if you have your own server, or virtual server, then you may get x number of IP addresses from your hosting provider – in this case, you can share an IP among your less critical sites, and use dedicated IP addresses for your most important. In this scenario you control the “neighborhood”.
Use a hosting service/facility that has a hardware firewall that you can have them open and close access to your site/server based on IP address and port. This way you can completely block certain services such as FTP at the perimeter before it even reaches your server/site. There are also software firewalls that run on your server, but a hardware firewall is better.
Turn off FTP
Turn off FTP (File Transfer Protocol) except from your IP address (if you need it). If you have multiple locations with dynamic IPs that absolutely require FTP access, then you need to find a hosting package that has VPN (Virtual Private Network) access. Why close off FTP? FTP is used to transfer files and is not generally needed after you get your site up and running (if it is, then it does not need to be open to the entire world, narrow it down with a firewall access-list to just specific IPs). If you have FTP ports open, bots will find them and use brute force login attempts to try and break in. I’ve seen server logs with tens of thousands if not hundreds of thousands of attempted FTP logins per day. This can drain system resources at a minimum and if they do get in, they can alter or exploit your site and potentially steal information. You can also disable the FTP service on the server – I did this in one scenario without a hardware firewall and only enabled FTP when it was needed. The challenge there is remembering to disable it again afterwards!
If you’re not an expert in the CMS (Content Management System) you’re using or planning to use for your website, then get help making sure it’s installed and setup correctly. CMS (Content Management System) = WordPress, Drupal, Joomla, etc., or, if you’re creating your site from scratch or using a framework such as CodeIgniter or Ruby, then get an expert for whatever technology you’re using. Learning is good, but don’t shoot yourself in the foot by making novice mistakes that exposes your site to hacking, limited functionality, or worse.
If you use WordPress for your website, follow my list of recommended WordPress plugins, especially the ones related to security. The security plugin I recommend is not a simple install, you have to go through all the settings and thoughtfully select the correct options for your site and situation. If you’re not using WordPress, find a list of recommended security measures for whatever you’re using.
The security plugin I use for WordPress does several things that I think are critical to keeping a website secure. Again, you can turn these features on and off as needed but why would you not have them on? Requiring complex passwords, blocking invalid login attempts after x number of attempts, Utilizing 3rd party “ban lists” for known suspect IP addresses (includes an option for sharing these IPs), 404 detection (blocks an IP after x number of requests for non-existent pages), hides the normal WordPress backend login URL to one that you create, other server and WordPress options to enhance security, and much more.
Make your passwords to your hosting account, website backend, etc. complex and unique – in other words, don’t have the same username and password for multiple websites, etc. Don’t use the same password (very tempting it is) for multiple website backends.
Update your CMS and plugins often. Check for updates at least weekly.
Managing Multiple Websites
If you have a lot of websites, if they use the same CMS, then there may be a dashboard to make managing them easier. For WordPress I recommend InfiniteWP it makes it a snap to keep up with updates and much, much more: no more logging into individual sites to update plugins or WordPress.
If you’re using a CMS that supports plugins, such as WordPress, you should not haphazardly install plugins. Read a few reviews of the plugin, look at the number of downloads, compare a few similar plugins. By downloading and installing a plugin you could potentially install a back door or other exploit into your site. If it’s a plugin that you only need its functionality occasionally, you should deactivate it between uses.
Purchasing a digital certificate allows you to enable HTTPS on your website. HTTPS encrypts all traffic between a browser and your webserver. This is critical if you have situations where personal information or payment info is entered by visitors to your site. A digital certificate is not really required for purely informational sites, however, it’s been noted that Google is giving sites with certificates a little more weight in their SEO ranking algorithms.
What if someone or some group targets your site with a DDOS (Distributed Denial of Service) attack? DDOS attacks utilize networks of bots (usually infected computers acting as zombies) to make it impossible for legitimate users to access your website. They do this by instructing all the bots to repeatedly access your site. This overloads the server and your site either crashes from the traffic overload, or, just slows to a crawl. There are products and services available to deal with mitigating DDOS attacks, either that load on your server, or, that function as part of your firewall, or, work by redirecting your DNS to a 3rd party DDOS service. If someone wants to do this to your site, they will determine if you’re running a common CMS, like WordPress, and they’ll target a known URL that uses a lot of system resources, or, a common weak point to try and kill or hack the site. That’s why using good security measures like I outline here to “harden” the WordPress installation is critical. Once that’s done, they will have a much harder time. If you still experience DDOS issues, then you need to add a specific DDOS mitigation offering to the mix.
Let’s circle back around to what CMS, language, framework, etc. you use to build your website. If you’re just playing around, dipping your foot in the blogging water, then it really doesn’t matter. Just get a free WordPress site at WordPress.com, wix.com (ugh squared), blogger.com (ugh again), etc. – everything is done for you. If you’re running a business, or are serious about your website, then you really should host your own account and download the WordPress software from WordPress.org. The theme you use on WordPress is very important, so again, if you’re serious avoid free and get a professional one (I recommend StudioPress themes). You can pay someone to customize existing themes, or create them from scratch. If you need a custom website and use PHP, or a framework like Ruby, or CodeIgniter then it’s imperative you work with a programmer who takes security seriously, simple mistakes can expose your site, and your visitor’s information to hackers.
What about selling physical and digital products? Just as I don’t recommend using social media as the endpoint for your marketing efforts (read previous post The ONE Flaw with Using Social Media for Business), I advise against using 3rd party solutions if you can handle it efficiently and securely on your own site/server. Again I use WordPress and will refer you to my recommended list of WordPress plugins where I mention that I use WooCommerce for this. You can create a store (or stores) that sell both physical and digital download type products. There are hundreds of extensions for WooCommerce that add various types of functionality so that you don’t necessarily have to reinvent the wheel. There are, of course, exceptions – if you’re selling a CD or DVD you can use a service like Kunaki much more efficiently than you can do it yourself (and yes, there are exceptions to the exception – such as if you’re in a market where you have enemies or competitors who may try to sabotage your work, then you should do as much in-house as possible).
Yes, they’re important. Depending on where your host, and the CMS you use, and the plugins you use in your CMS, there are multiple ways you can perform and use backups. If you use a Linus cPanel type hosting account, you should occasionally make a backup from cPanel and store it locally. If you use a plugin inside WordPress you can keep several days’ of backups in the filesystem on the server, and store one locally before you make major changes, and/or on a regular basis. At a minimum you should have multiple backups stored in multiple places for anything that is important.
- If you’re using WordPress, check my List of Recommended WordPress Plugins to help keep your site secure.
Until next time,