It’s so easy now to launch a website. Some people and organizations have multiple sites. There Is however a flipside to the ease of creating a website so easily. We now have a profusion of DIY webmasters who have no idea how to properly secure their sites. Most people don’t know about the importance of securing their sites and whose job it is to do so.

Let’s look at the 10 most important tips all website owners should be aware of to keep their sites safe.

1. Using A Firewall

The server your website is hosted on can normally be trusted. It’s in their best interest to be, but they connect to the rest of the world. The rest of the world cannot be trusted in any way. Your online files are unprotected and this connection can bring viruses through that connection. This is where you need a firewall.

A firewall can be imagined as a brick wall that stops a fire raging on the outside from coming in. The rest of the internet is the fire. Web hosts normally use two types to protect your site. A hardware firewall is a piece of hardware that protects your site from the internet. It checks and tags packets of data as they enter the server to determine where it is coming from and decides if the traffic should be happening or not. If it detects malicious traffic, it stops the traffic.

The more familiar type of firewall is the software firewall. This will be more familiar to Windows users. A software firewall checks speed of traffic, rate of download and upload, transfer times and IP addresses. If it finds traffic that doesn’t fit what it determines as normal behavior, it blocks that transfer.

2. Keep Updating Your Software

Software becomes obsolete at a very fast pace. This includes security software. Definitions of malicious attacks need to be updated all the time. It sounds basic but most people forget to keep their software updated. This includes the server operating software and any software running on your website. Even CMS and forums. Hackers are always looking for security holes and companies are always patching them so updated software keeps the chances of hackers finding a way in to the bare minimum.

If your website is being hosted on a managed hosting platform, you don’t need to worry, they take care of all that, but if you are using third party software like WordPress, Umbraco and others, make sure you install any certificate sent your way. They send out updates regularly so check for them once you log in.

3. Discourage Directory Browsing

Limit access to the information anyone can access on your site. Blocking access to directories stops hackers from viewing the content of every directory on your site.

4. Enable HTTPS

HTTPS is a security protocol used to protect users and sites on the internet. What HTTPS does it to make sure that users are linked securely to the servers they want access and no one else can intercept or manipulate what they are doing online. Using HTTPS is highly recommended, most importantly if users will be submitting personal information on your site. Some hosting companies offers encryption for free with hosting subscription on their servers. Google flags any site without HTTPS as ‘Not secure‘, and deters users from going there.

5. Prevent Image Hotlinking

This is simply a precaution to ensure your bandwidth does not skyrocket. Hotlinking allows other websites to use images on your site without directly hosting them. This increases the bandwidth use on your site without increasing your traffic, the danger being the bandwidth allowance on your site might get used by other people.

6. Have Backups

The experience of having your website hacked is not something you would like to go through, but it can and does happen. Planning for this is essential. Creating periodical backups of your website is essential in the path to recovery after a massive security occurrence. A website security solution is a better option but if all else fails, a backup will be a lifesaver to recover affected files.

These are the requirements for a sufficient backup solution:

  • You don’t want your backups to be on the same server as your main site. They are as vulnerable there as your main site is. You want to keep them off that server in the event of hackers or hardware mishap.
  • Storing a backup of your site on a server is a massive security risk. Most backups will not be up to date on the latest security versions of your software and these can give hackers a loophole to get access to your server.
  • Backing up your website should be automatic. Trying to remember to backup your site can be a problem because you have so many other things on your mind. This can slip through the cracks leaving your site vulnerable until you remember to upgrade or backup. Find a data backup solution that will be programmed to do your backups for you when necessary.
  • And finally, have a reliable means of recovery. Having backups of your backups is not being paranoid, it’s being cautious. Then you have to test them to make sure they work. There is nothing worse than getting hacked, installing your backup only to find it doesn’t work and all your files are truly gone.

7. Two Step Authentication

Add another layer of protection by enabling two step authentication. Adding measures such as sending a text to your phone or any other security protocol can protect your account. This can help deter attackers by adding another security measure other than your password.

8. Scan Regularly

Enlist the help of website scanners like Secure, Sitelock or Siteheck to periodically scan your entire site for suspicious codes and malware. If you even suspect your site could be infected or under attack you need to scan it immediately. Ultimately, it’s advisable to be safe and scan your site at least once a month just to be safe.

9. Protect Your Sensitive Files

Restrict access to certain files, folders and directories. Sensitive information like login details are stored in CMS configuration files in plain text. Access to these files can greatly compromise your site. You can decide to lock down certain areas of your site like the admin areas and you can also restrict PHP execution in any directory that contains images and processes uploads.

10. Secure Your Site Against XSS attacks

Hackers can attack your site using cross site scripting. This introduces mischievous JavaScript into your pages. These malicious pieces of code then runs into the browser of users who visit your site and can change your page content or just steal useful information and send all of these back to the hacker.

If your page displays comments without a means of validation, the hacker can easily place comments that have script tags and JavaScript that can run in your users’ browsers and steal their login cookie. This can allow a hacker to take over the account of anyone who has ever viewed that particular comment.

This situation is particularly worrisome because a lot of web application use web pages that are mainly built with user content and this is generally generated using HTML. This HTML document is interpreted by popular front end frameworks like Ember or Angular. Normally these frameworks are good at providing adequate XSS protection but with the advent of mixing server and client rendering creates too many new paths for attack. Inserting JavaScript into HTML is effective in its own right but you can also introduce content that will run code automatically by using Ember helpers or inserting Angular directives.

Regular review Of Your Website Getting hacked is a nasty experience and browsing through your webpages and checking analytics isn’t the best way to prevent an occurrence. Scan periodically, perform diligent security measures and employ a security conscious routine. Getting hacked is bad, but you don’t want it to take a while before you notice else the damage may be irreversible.


James Cummings

By James Cummings
who is Founder and CEO of dailyposts(.co.uk). He is a business psychologist and serial entrepreneur.

disclaimer icon All images and content mentioned herewith have been shared by the authors/contributors. We do not hold any liability for infringement or breach of copyright of third parties across the spectrum. Pictures shared by authors/contributors are deemed to be authorized by them likewise. For any disputes, we shall not be held responsible.