Let’s face it. When you have a website, there are those out there who will try to hack it. Why? Sometimes the purpose is malicious and sometimes, the purpose is ‘just because they can’. Whatever the reason, the outcome is always annoying and often detrimental to your business.
One of the most ‘hacks’ we see are ‘mailers’ that are uploaded to use the businesses hosting account, bandwidth and IP address to send copious amounts of spam email out over the Internet. The most damaging thing here is that the IP address of the webserver ends up in SPAM databases and legitimate emails get caught in SPAM filters. The effect can cause many problems, including loss of income because communications are simply not received.
There are things that business owners can do to reduce the possibility of their website being hacked.
Choose Your Hosting Provider With Care
There’s lots of hosting providers around. There’s some very inexpensive ones, there’s some not so inexpensive ones and unfortunately, it’s not always about ‘you pay for what you get’. Do your homework and ask questions when looking at your options. Apart from the what you actually get for your money with a hosting account questions you should be asking include:
Is the base software on the server kept up to date?
By this I mean the:
- base operating system (in most cases this will be Linux);
- The webserver software itself (in most cases this will be Apache);
- The database software (in most cases this will be mySQL);
- The code execution engines (in many cases this will be PHP).
Software is always being updated and when a new revision is released, the update notes generally include what issues the revision addresses. These notes identify potential attack vectors for down revision or out of date software. Keeping the server software up to date, is very important.
What is the backup policy of the webserver provider?
Does the provider back their server up? If so, where do they store their backups and how often do they back the server up.
Most providers will do a weekly backup and keep the backups on a separate machine or remotely. However, most providers will also say that backups are provided on a ‘best effort basis’ and may levy a fee to restore the backup for you. This is not an unreasonable approach and there are options for businesses to make and store their own backups and I cover these later in this article however, having some backups by the provider is important.
What Security Precautions Are Implemented?
This is a big topic and speak to different providers, you’ll get different answers. As someone who provides hosting services to my clients and provides maintenance support for their websites (which are two distinctly different types of services), the answer is really important.
I’ve worked with some providers on behalf of my clients who think that changing the name of the login ‘page’ is sufficient protection for a site. It isn’t – by any stretch of the imagination. It might be an extra layer of protection that can be added but on it’s own it is not. Even implemented, this is one of the most disruptive practices for businesses that I’ve encountered but then, that’s what makes it effective.
Other security precautions include:
- Security rules on the server that bans multiple failed logins from an IP address in its entirety.This is one of my favourite rules. From experience, I’ve seen a hack attempt start on one site on a shared server and work it’s way through nearly every account of that server. When that happens, stopping that attempt at the source is important. Certainly, this approach sometimes blocks legitimate attempts to login – but they are easily and quickly addressed if that occurs.Linking the security precaution to the login process for the different types of software that might be installed on the server (WordPress, Joomla etc) provides an extra level of protection to site owners.
- Blocking multiple ‘file not found’ attemptsThis one is a little more difficult to implement because it relies on the site not having a lot of missing files however, it’s a great way to stop hackers who try to access known attack vectors for websites.
This is just what a business owner can look for in their hosting provider. There are other precautions that can be taken at the server level, but these are a great start.
Website Security Is A Partnership
Now that I’ve outlined what a hosting provider may do to protect your website I’m going to say, that as a Business and Website Owner, you have some things you should do as well. Relying just on your hosting provider to protect your website is a bit like leaving your car in a secure parking structure and not using a car alarm or similar. Sure, the parking structure will have security measures in place to stop people getting in, but sometimes those measures simply aren’t enough. You should always make sure your car is locked and the security alarm is on.
Now, the owners of the parking structure aren’t going to check that the locks and the alarm work on the car and typically, they aren’t going to fix them if they’re told the devices aren’t working. This is the same as your websites. Your hosting provider should ensure that the software and hardware required to run the webserver are secure and operational – anything else, is up to you as the business and website owner.
Securing Your Website
There are a number of things a site owner can do to secure their website and reduce the potential of a malicious (or hack) attempt. For this next part, I will focus primarily on resources for securing WordPress websites, as that is where the bulk of my work occurs these days.
These are just a couple of things that site owners can do to secure their sites.
Whether or not your webhost provides backups, you should always have your own server and / or website backups. More importantly, those backups should not be stored on the same webserver as your site. If you lose access to your server, having the backup stored elsewhere will be a saving grace.
Two resources that I use heavily are:
SiteAutoBackup – this resource works with most shared, reseller, VPS, and Dedicated Servers and can be used to Backup Unlimited Accounts, Websites, Domains, Emails, Databases. The backup is stored on the SiteAutoBackups server and accessible via your secure login.
Backup Buddy – This is a WordPress Plugin (so it can only be used on WordPress Websites) that has saved myself and my clients on any number of occasions. It works on most hosting providers and allows for the backup files to be moved, automatically, to a number of different platforms including Amazon S3.
For a backup schedule for the whole server, I typically recommend one full backup per week. For individual websites using something like Backup Buddy, a daily database backup (saving up to 7 days worth of backups) and a weekly full backup (saving up to 2 weekly backups).
Change Default Usernames and Logins
Most installations of content management systems will default to a known username (like admin). If you’re setting your website up from scratch and are given the option, change the username to something else that’s a little more obscure. Many of the hack attempts I see when reviewing security logs are attempts to login to admin or administrator. Blocking that option adds another level of security to your website.
If your website is already setup and using that username – consider changing it. You may need assistance to do this, but it is well worth the effort. Once that’s done, consider using a process that autobans any IP address that tries to use the ‘default’ username.
Deny Access To Repeated Missing Files
Much like I mentioned above, if an IP address is making continued requests for files that don’t exist, consider setting your website up to autoban it. This will not only stop potential malicious traffic, it may also reduce the load on your website making it quicker for other, legitimate, users.
Update Your Website Software!
I can’t emphasis this strongly enough. Keep your website software, plugins and addons up to date. When new versions of software come out, the issues they fix are published. This is like a ‘how to’ manual for hackers and if you don’t update, you’re leaving your website vulnerable to compromise.
Remember too, that your hosting provider typically doesn’t do this for you. It’s up to you to monitor and do.
For my clients, I offer a maintenance service where I do this for them.
For WordPress, I’ve been using the iThemes Security plugin – the free version, although there is a pro version as well. Combined with Backup Buddy, this plugin provides a great deal of security options.