5 Simple Tips to Secure Your Website from Hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://smallbiztrends.com/2014/12/secure-your-website-from-hackers.html

Each passing day brings with it news of a brand new leak of personal
information over the Internet. Be it credit card information belonging to
millions of users or their email IDs and passwords, personal nude pictures
of celebrities or even top secret classified government data — the world of
hackers has democratized the internet and its lack of security at every
possible level.

You might now be wondering what this has to do with your innocuous little
blog or website that does not carry users’ credit card information or nude
pictures of Scarlett Johansson.

Well, hackers can turn your nondescript website into a malicious spy bot in
a matter of minutes, sending sensitive user data to hackers without your
even realizing it. Worse, they can hack into your website databases and
destroy or manipulate important information, injecting your content with
malicious links and even hijack the hosting server to be used in botnet
DDoS attacks.

But enough of this scare fest. It’s not all doom and gloom out there on the
Web. There are things that you can do to secure your website from hackers
and becoming a target for online vandals. Here’s a roundup of the easiest
steps you can take:

Keep All Software Updated

Whether your website was built from scratch by your development team or you
chose to create a DIY site on a third party turnkey platform, as a site
owner it’s your job to ensure that every piece of software you run is up to
date.

CMS providers like WordPress, Joomla and their ilk work round the clock
trying to plug any holes in their systems and release regular patches and
updates that make their software less vulnerable to attacks. Ensure that
you run these updates and have the latest version supporting your site at
any given point in time.

If your site uses third party plugins, keep track of their updates and
ensure that these are updated on time as well. Often, many sites include
plugins that fall into disuse over time. Clean out your website of any
unused, old and non-updated plugins — they are sitting ducks for hackers to
be used as a gateway to enter your site and wreak havoc on it.

Build Layers of Security Around Your Site

Just as you lock your doors before leaving your house and install antivirus
software on your desktop computer before browsing the web, you should also
have a security system to serve as your website’s first line of defense
against hacking attacks. A Web Application Firewall is that first line of
defense. These solutions are designed to inspect incoming traffic, provide
and weed out malicious requests –-  offering protection from SPAM, brute
force attacks, SQL Injections, Cross Site Scripting and other OWASP Top 10
threats.

Until just a few years ago, Web Application Firewalls were only available
as hardware appliances, but today a few Security-as-a-service (SECaaS)
providers are revolutionizing the industry by using cloud technology to cut
down prices of security solutions previously found only in enterprise level
setups.

Consequently, all website owners can now “rent” a cloud-based Web
Application Firewall, without committing to pricey security appliances or
even owning a dedicated hosting server. Better yet, these plug-and-play
services don’t require you to hire security experts or attempt to learn
every aspect of web security. (Most of us just don’t have the time to
become cybersecurity experts too.)

With hundreds of thousands of websites hacked every year, it’s becoming
clear that hosting providers are not sufficiently equipped to handle all
website security threats because frankly website security is not within
their primary agenda. Now cloud-based Web Application Firewalls are filling
that void.

Switch to HTTPS

HTTPS or Hyper Text Transfer Protocol Secure, is a secure communications
protocol that is used to transfer sensitive information between a website
and a web server. Moving your website to the HTTPS protocol essentially
means adding an encryption layer of TLS (Transport Layer Security) or SSL
(Secure Sockets Layer) to your HTTP making your users’ and your own data
extra secure from hacking attempts.

While HTTPS is a necessity for all online transactions, the rest of the
website is usually on HTTP in most cases. However, all that is about to
change with Google’s recent announcement that HTTPS will be a search
ranking factor. Besides the security aspect of things, it now makes even
more sense to shift your entire website to HTTPS to improve your search
rankings simultaneously.

Use Strong Passwords, Change Regularly

This one’s another no-brainer. Brute force attacks that try guessing
username password combinations have multiplied at alarming rates over the
last couple of years with thousands of attacks being detected on a daily
basis across the web.

Using strong passwords is an effective way to limit if not completely
eliminate brute force and dictionary attacks. Strong passwords are not just
a requirement for your email or financial transactions online, they are
also imperative for your website server, admin and database passwords.

Make sure your password is a combination of alphanumeric characters,
symbols, upper and lower case characters and is at least 12 characters long
to prevent brute force attacks.

Do not use the same password for all your different website logins. Change
your passwords regularly to keep them doubly secure. Store users’ passwords
in encrypted form. This ensures that even if there is a security breach,
attackers do not get their hands on actual user passwords.

Make Admin Directories Tough to Spot

An ingenious way hackers gain access to your site’s data is by going
straight to the source and hacking into your admin directories.

Hackers can use scripts that scan all the directories on your web server
for giveaway names like ‘admin’ or ‘login’ etc. and focus their energies on
entering these folders to compromise your website’s security. Most popular
CMS’s allow you to rename your admin folders to any name of your choice.
Pick innocuous sounding names for your admin folders that are known only to
your webmasters to greatly reduce the possibility of a potential breach.

This is such a basic and easily avoidable hacking scenario, that it’s
astonishing how millions of websites still ignore it.

Conclusion

Most of us go through life with the philosophy ‘It won’t happen to me’.
However, that philosophy has been proven not t be true in the world of
online security. A successful attack on your site not only leads to
compromising of users’ data and your own information, it can also lead to a
blacklisting of your site by Google and other search providers as your
infected site risks spreading malicious content throughout the web.

Erring on the side of caution works best in this area. Implement at least
these basic steps right away, to avoid being a soft target for malicious
hackers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!