11 ways to secure a website from hackers

In 2013, more than 2 million passwords were stolen according to Daniel chechik and his guys at Trustwave spiderlabs; on January 20th, 2014, Naoki Hiroshima lamented how he lost control of his website to an hacker who later released the login right to him after exchanging his USD50,000 worth twitter login credentials; he explained that the security breach was caused by GoDaddy!!

Daniel Cid, Sucuri CTO ( Succuri is world acclaimed web security expert) posted on their blog about mass security breach for websites using OptimizePress website and how 2000 websites have been compromised. He even stated that Google has started to blacklist the compromised sites ( however, he gave a solution that users of the theme should simply upgrade to the latest version.

It seems that the various waves of attacks on website hacking seems not to abate, and if you are a blogger, webmaster, website owner or online publisher, it’s time you need to take the issue of your website security serious. I will explain five areas that makes your website vulnerable and ways/tools that can be used to arrest the situation.

Recommend to read: 7 proven steps to protect your wordpress website security

  • Activate a secured privacy policy of your domain name

I learn a serious lesson from Naoki Hiroshiima’s horrible experience, most especially as he claimed that the security breach was caused by Godaddy. I came to discover that it is very important to hide the identity of a domain name from the public view, and this can only be done by activating this option from your domain registrar ( though with little additional cost to the cost of a domain name). A simple look at whois.com will reveal to you important, confidential and private details behind the owner of a website, and such exposed details can be used by hackers and online thieves.

You can check the owner of a website/bog through this

To check for registrar’s details of a domain name, check out: http://www.whois.com/whois/

So how? Simply go back to where you bought your domain name from ( e.g. GoDaddy, Bluehost e.t.c.), log in, move over to the settings or upgrade area/privacy policy and try to activate the public view of your domain name.

  • Check if your web host server is revealing critical information to the public

Thanks to Ensine Muki for sharing this important website security tips; According to Enstine on how to secure a website, he shared two important factors that your server may be doing or showing wrongly via a browser:

  • http://yourdomainname.com/wp-includes/vars.php
  • http://yourdomainname.com/wp-includes/

He discussed that if you tried the above on a browser using your domain name and details are revealed, ( like above image) then it means your server is exposing dangerous information to hackers and as such your blog/website is not safe. I highly recommend you check out the post for more understanding.

  • Go a step further, attack and use Acunetix to check for your website vulnerability

There is no perfect human being anywhere, so also is the use of machines and tools; the use of Acunetix program can be used to scan your entire blog or website and check for possible vulnerabilities. It is better you check now, rather than waiting till the hackers use the free program and discover that your blog is vulnerable. If you use the free program, and discovers any vulnerability, then you can quickly inform your webhost provider or simply act to correct the fault/vulnerability.

Use the free trial to scan your blog/site first before hackers does so!!

This tool is an essential tool, that hackers uses to first check for a vulnerable site before attacking the site…so be smart!!

  • Don’t try to build a website, use open source scripts

We live in a Jet Age where technological advancement is moving so fast; the days of trying to build a website by writing the codes or simply using website tools might not really be sufficient to secure your website. Though, it is good if you can, but will you have the time, updated knowledge and skills to maintain and move with latest security trends? This is where the use of open source scripts comes in.

WordPress is the best open source script website platform

Examples of open source scripts includes the use of wordpress, Drupal, Joomla e.t.c.; these open source scripts provides reliable and highly secured platform for your website because they have in their fold thousands of coders, programmers that provides support and free updates. Their codes are professionally and neatly written; a poorly written code can be exploited by hackers and they will simply destroy your website. This tip is one of the ways on how to secure a website or blog.

Recommendation: Build and have your websites using wordpress, Joomla;  and if you have the cash i.e payroll, you can employ programmers to write the code for your website ( though not recommended by me). its better to use a strong, established platform to build your website

  • Beware of phishing mails- secure your Admin Email ID

Most people are ignorant of this development. The email used in registering for your domain name and the one used to sign up for your web hosting should be kept secured. Most especially, the Email ID used to access your control panel of your host account should not be made public.
Most bloggers makes this mistake by using this same Email address on their contact page; reason behind this is that hackers can send you a phishing emails, which can look authentic and original as if your webhosting company sent it. Beware!!!

  • Use Secured FTP Access

Nearly all webhost provider supports the use of FTP to transfer files and images to your control panel. While this is a good development ( highly secured and better than editing or adding files through the editor section of your wordpress dashboard), however, it is one major avenue that hackers, scammers and spammers can use to access your website.
To use FTP, there are two options:

  • We have the ordinary FTP
  • We also the more secured SFTP

The use of SFTP is more secured than ordinary use of FTP; if your webserver allows the use of SFTP ( my own webserver allows it), so its better to use it. I only recommend the use of http://winscp.net/eng/index.php and https://filezilla-project.org/ client server to upload your files.

  • Stay updated- plugins, softwares should be up to date

The scripts, software’s you are using on your website should be kept up to date. For wordpress users, it is highly important that you are updating constantly your present version to the latest updated version. Hackers are always on the lookout for vulnerabilities in outdated programs, softwares and scripts. It is highly advisable that you are on the alert, most especially for managed wordpress hosting account, the webhost automatically upgrades and updates itself to the latest version. This is where the use of credible webhost is important ( I recommend the use of WPEngine and Synthesis webhost).

Be on the lookout on the overall health of your plugins, make sure that they are being updated at the right time!!

  • Add robots.txt file

In my earlier article, I discussed the fact that the wrong use of a robots file can lead to Google penalty. In the context of security consciousness for your website, being careful with the use of robots file is important.Some public files needs to be blocked i.e. not to be indexed by the search engines and this is the pure work on the robots file; You can use the following robots file example to achieve this task :

User-agent:  *
Disallow: /cgi-bin/
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /recommended/
Disallow: /comments/feed/

Ps Note: Only those files should be blocked, don’t go beyond this!!

I highly recommend the use of WordPress SEO by Yoast for you to be able to make use of the robots file easily

  • Use Strong Password, use a non-infected browser/PC

The use of a strong password cannot be overemphasized; vulnerable passwords are on the loose and its because they are easy to guess at. Stop using the same password across multiple blogs/sites.

This powerful tips from Forbes is a must read: http://www.forbes.com/sites/jameslyne/2014/01/31/yahoo-hacked-and-how-to-protect-your-passwords/

In addition, the use of a good up-to-date browser is important for the security of your website. Make sure your browser is updated, always clear the cache after surfing and don’t allow the browser to store cookies. Run antivirus and anti-malware regularly on your PC/Laptop.

  • Install and use a SSL Certificates

The presence of SSL certificate is meant to protect and offer high security to your website; it serves as a protocol to provide security over the Internet. It is essentially and extremely important if you are running an e-commerce site and also deals with transactions. Most webhost (e.g. GoDaddy) offers this optional features at a considerable price, and if your host does not have this features, you can check the following recommended companies:

That’s all!!

  • Avoid using Free themes if your website is built using WordPress

Detailed guidelines on the disadvantages of a free wordpress themes have been early published, and I’m pretty sure that the security tips will be helpful to you. Websites or blogs built with a free wordpress theme is not secured and can easily be hacked!!

Recommended: Six disadvantages of free WordPress themes-why you should not use them

Recommendation

Approximately 75% of the listed 10 ways can be handled perfectly well, from your webhost service provider. Look, I had to switch to an expensive host provider, but I am rest assured with peace of mind, and this allows me to focus on other pressing issues concerning growing my business portfolio.

I recommend the use of : WPEngine WebHost and Synthesis WebHost

Over to you/Feedback

Thanks for taking the time to read through my blog post, I hope you have gained some valuable information’s? Please, kindly share your opinions and additional details through the comment section.

Leave a comment

Your email address will not be published. Required fields are marked *