Securing a site is not necessarily within everyone’s reach, but that doesn’t mean that you have to be a programmer or computer scientist to get there.
So we’ve listed 9 tips that are both easy to apply and detailed enough to arouse your curiosity about security issues, so that you slowly but surely become your own web security expert.
All the tips are specific to hacking and we will also introduce you to the techniques you can use to test your website to detect security breaches. Do not worry: nothing too difficult to do, but it is important that you familiarize yourself with the simple tools and techniques that can block or repel attacks, for the good of your projects.
Have fun !
Tip # 1: Use complex passwords
The first Web security breach is the use of the same password on a large number of Web sites or services. A hacker who has found only one password will thus have easy access to all your data, whether it is your blog or your PayPal account. Keeping a list of your passwords on paper or in a file is also not a safe solution, because someone who hacked your computer will have easy access to your database.
But what if you can’t find a suitable password?
- Use a strong password generator to get a hard-to-decrypt password, including alphanumeric characters and special symbols. The more the symbols are random or pseudo-random (that is to say that they are not linked to each other and that all symbols have an equal chance of succeeding each other), the more secure the password.
- Use a password manager like Dashlane, LastPass, Password Safe (Windows only) or Password Gorilla to save and encrypt all your passwords, which you can unlock with a Master Password , a password to control them all.
Tip # 2: Pay attention to your scripts and plugins
It is well known that website scripts and CMS platforms are the primary vehicles for hacking attacks. If you are hosting scripts written in PHP, ASP and JavaScript, be aware that they may have security holes and bugs that their developers may have overlooked. In addition to contacting the developer immediately after discovering one of the above issues, there are non-technical methods you can use to ensure that your scripts will not cause you long-term worry:
- Read the version document for your script carefully: it often contains details about fixes and bug fixes.
- Watch for warnings from your software installer , control panel, or even Google Webmaster Tools: if you need to update or modify / delete a file, do so.
- Do not install any plug-in: first check compatibility and safety notes.
Tip # 3: Regularly check the folders and the control panel
Sometimes, hackers sneak up on your site, and can cause big damage behind them: spoof ing , media files containing viruses, executables and recoded web pages, etc.
Check your records regularly, at least once every two weeks, to make sure your files are fine. If you find files that you don’t recognize, delete them immediately. If that doesn’t work, contact your web host and get help (that’s when you most need a good web host ). In such cases:
- Change your admin panel password (and username, if possible)
- Check all files to see if they have been damaged.
- If you have an antivirus installed, run it.
Tip # 4: secure authentication
Web security experts use many methods to ensure optimal security of the systems and Web transactions they work on: public key cryptography, chains of trust, signatures, SSL and TSL (Transport Layer Security). While it is important that you become familiar with cryptography, you should first learn how to use simple multi-factor authentication tools prepared for you by experts:
- Two Factor Authentication
- Mini Orange Google Authenticator
Why do you need multi-factor authentication? Because you will need to know your username, password AND user code to access your content; otherwise, you will be denied access. This can be sent to your phone so that no one other than you can access the site.
Tip # 5: beware of DDoS attacks
Distributed Denial of Service (DDoS) attacks are rapidly evolving and dangerous, as are hacking servers and replacing your services with fraudulent services.
A DDoS attack on a server will cause its main services to malfunction, and the entire system will no longer be available to end users.
What can cause a DDoS attack
- Open network configuration
- Applications with bugs and not updated
- Unsecured server configuration
- No maintenance and / or monitoring of network activity
Inform your ISP and your host of this form of attack. The latter can configure each server with a list of alternative DNS addresses, so that when the default DNS becomes unavailable, the whole site always works.
Tip # 6: Secure FTP access with SFTP
Nothing changes for you, it works like normal FTP , but SFTP, or Secure FTP, offers many security advantages:
- It uses SSH to encrypt data and commands during file transfer.
- It uses the public keys of the client’s server to validate the server during connection, to ensure that it is not an intermediary.
- It is impossible for a hacker to monitor your network traffic.
The problem with the usual FTP command is that it is not encrypted: all downloads to and from the server are transmitted as clear data.
To access FTP via the command line (if you are using Unix / Linux / Mac OS) you can use sftp username @ host or simply download a free FTP program that supports SFTP, such as FileZilla (open source).
Tip # 7: Learn more about SQL injection to protect yourself
Beware of this hacking method, keep your scripts up to date and immediately contact the script developer if you encounter a security breach. Here’s how to do a simple test:
- Enter the following SQL code in your web form (username and password):
‘OR’ t ‘=’ t ‘; –
which becomes, at SQL level:
SELECT * FROM users WHERE userid = ‘admin’ AND password = “”. OR “t ‘=’ t ‘; -“ - Does it return the contents of your database?
The code could work (we use the conditional because hopefully you have installed a very safe script), since t ‘=’ t ‘is a mathematically true statement, so the SQL query will always be executed.
A knowledgeable hacker can build very sophisticated SQL statements to achieve their goals, so be sure to contact the script developer and get help if the script you are using is easily attackable. Or change the script.
Tip # 8: Check your administration panel logs regularly
Your administration panel (cPanel, Plesk, etc.) is provided with integrated tools for traffic analysis, access and security logs which you must monitor at least once a week.
If you are using cPanel, we recommend that you check your Analog Stats tool every other day, as it displays a detailed report with:
- HTTP requests
- Monthly, daily and hourly traffic activity reports
- Referrers, browsers and operating systems where your traffic comes from
Log tools are the first tools you should check out when you think your website has been attacked.
Tip # 9: make regular backups
Back up your files as often as possible . With plug-ins like Updraft Plus and BackupBuddy, you can define the intervals at which your backups will be made.
What matters is that you constantly download new copies of your content, ready to be restored if something goes wrong along the way.
Bonus Tip # 10: Change your login url
If you use WordPress as CMS, it is possible to easily change the connection url of your administration panel so that you no longer use / wp-admin. Via plugins like Ithemes Security or the excellent WPS Hide Login of WPServeur, you can make this change in just a few clicks!