Beginners Guide to Website Security

So you have a website and are a bit concerned about its security. It doesn’t matter if it’s a business site or a personal blog, this article will tackle some of the basics you can implement today to avoid the big headaches down the road.

How and why do websites get defaced, hacked, or corrupted?

Most sites are compromised by known vulnerabilities in outdated web-based scripts and applications. Simply put, this means if you run outdated versions of popular software such as message boards, blogging software, or content management systems, your website could be at risk. Other ways a website is commonly compromised is due to insecure or stolen passwords and incorrect file permissions.

Why would anyone want to hack my website? I don’t store any personal or financial information on my site so I shouldn’t worry about this right? Many people feel that because they think no one wants to compromise their website they don’t need to worry about its security. Stop it.

Although they may not want any of the information on your site, most of the time your site will be used to spread viruses, spyware, or deceive your visitors into going to sites with them. Most compromised sites we see have malicious code injected into the files in order to do just this.

Here are a few things you can do today to make sure your website is better protected.

Start locally

Make sure your personal computer is secure. If you use an FTP program to upload content to your website, chances are that you have the username and password saved within it. Depending on how that program stores this data it is possible to have that info stolen if your computer has spyware or a virus.

We recommend installing a virus scanner and regularly scanning for spyware along with being more cautious of where you are surfing online.

Update and patch your third-party applications

Most website security issues can be avoided by being proactive with updates and security fixes issued by the authors of your applications.

Many popular applications now have a one-click update that takes less than 30 seconds to perform. It is recommend that you backup your data before upgrading which can usually be done through your Control Panel.

If you stop using an application make sure you remove it. If you’ve switched from WordPress to Joomla for your content management, make sure you remove the WordPress installation as it can be forgotten about and left outdated. Even though you may not be using it, it can still be accessed.

Remember that updates, patches, and new releases are released for a reason. Staying on top of these updates may seem like an inconvenience at the time, but it will save you from a lot of headaches and issues in the long run.

Checking file permissions

Allowing everyone to read, write, and execute files on your website is a huge security issue. In a web-based environment you typically will want a “755” permission setting, or full access to the file owner, and only read/execute access for everyone else.

Some applications will ask you to set a permission to “777” or full access to everyone. Make sure you are running the most up-to-date version of this application before installing. Also, you may want to try it with a 755 as some hosting environments will for this.

Secure your login areas

It is best to access the administration area of any application over SSL (https://). This can be done by making sure it is placed in a ssl-based directory.

In addition to this, it is possible to limit the admin directory to only specific IP addresses. This can be done by placing the following information into a .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName AdminAreaAuth
AuthType Basic
order deny,allow
deny from all
# allow home IP address
allow from 99.x.x.x
# allow work IP address
allow from 142.x.x.x
# allow vacation home IP address
allow from 24.x.x.x

For example, if you wanted to secure the admin area of your WordPress installation, you would place this .htaccess file in your /wp-admin/ directory. It will deny all connections that are not made from one of those predefined IP addresses.

Hope this helps. Interested in hearing more on a specific topic? Let us know in the comments below!

Adam is a former owner of Websavers Inc. He departed in 2014 to focus his time entirely on blogging and online marketing. Adam currently works for a Clagary and Edmonton based web marketing agency.