From using your server for spam to injecting code that could steal the data of your site visitors – there are a plethora of reasons why attackers target even small, relatively unknown websites. Because of that, even if you think that no one would be interested in breaking into your web property, you need to secure it from day one. Otherwise, you could lose all the hard work – usually, when you least expect it.
And while you can never be 100% sure that your site is fully protected, there are things which you can do to minimize the risk of a security breach.
1. Keep Everything Updated
Keeping everything up to date is a must not only because you want the latest features, but also for security reasons. According to Symantec, over 75% of all legitimate websites contain unpatched vulnerabilities. And yet they are one of the easiest ways for attackers to penetrate your website. If you are using WordPress, a leading content management system, updating your theme and plugins is very easy – just go to the dashboard and check which of them require updating.
And what about the whole server? If you own a dedicated server that allows root access, you can update the system using just one command. All you need to do is establish an SSH connection and execute the following command:
As you can see, keeping the most important files updated is very easy – just don’t forget to do it frequently enough. Attackers never sleep!
2. Use an HTTPS Protocol
For the last couple of months, HTTPS protocols have become required by Google to recognize your website as secure. And it’s no surprise that having one helps protect the online privacy of your visitors. An HTTPS protocol hides their activity and makes it harder to view what they are doing or steal the data that they are sending to your website. And thanks to initiatives such as Let’s Encrypt, you don’t have to pay a dime for an SSL!
But there is one more reason why you should consider getting an SSL certificate if you don’t have one yet – trust. Because it makes it easy for visitors to check whether your website is secure or not, it helps make your website more trustworthy. On top of all that, some believe that having a certificate is a ranking factor that can give you a slight boost in Google SERPS. Considering it’s free, it’d be a sin not to get one!
3. Don’t Use Default Usernames and Check Your Passwords Frequently
The third point to keep in mind is your usernames and passwords. Even though this may sound simple, statistically almost 75% of people in the United States and the UK use the same password for different accounts. It’s no surprise then that stolen passwords cause 81% of data breaches. But this would also mean that losing your credentials to just one service could harm all of them – including your websites.
Because of that, it’s essential that you keep your passwords unique. On top of that, it’s wise to change them frequently – sometimes, your compromised access details may be available online for weeks before they get used. And if you happen to change the password in time, you won’t suffer any damages.
Similarly, never use the default username. Doing that significantly reduces the security of your account – as potential hackers have one less thing required to take control over your account.
4. Install A Firewall on Your Server
Despite the fact that the majority of attacks happen because of compromised access details, having a firewall in place is still one of the core things you can do to improve the security of your website. And there are two different firewalls which you can install – a server-side one and a website one. Let’s start with the former – we will use the ConfigServer Firewall.
Before you start, update your system using the command
Next, make sure that you are in the /root directory:
After that, you can download the files from the official server:
Once the archive is there, unpack it:
tar -zxvf csf.tgz
Then, go the directory created by the archive:
And begin the setup:
Once the installation finishes, your firewall is ready. Depending on your server, you may have to configure it to allow specific IPs - you can get in touch with your support if you have problems with the configuration.
5. Get a Basic DDoS Protection
The next layer of protection that you should add is a simple DDoS protection. Unless you are an already established business, a simple and free protection plan from Cloudflare should be enough. While it won’t protect you from a professionally-organized DDoS attack, it’s a perfect choice for personal websites and blogs. Of course, as your website grows, you should jump on the pay plan – either from them or from other providers of which there are plenty.
6. Choose a Quality Server and Stay in Touch with Support
On top of deploying the firewall on your server, there are many other things which you can do to secure your site. But to make sure if you are doing the right thing and check whether your actions aren’t actually harming your site (or blocking an already existing software) it’s good to reach out to the support.
In fact, I would say that having a good relationship with your server support is mandatory if you want to keep your website secure. In the end, even if you are on an unmanaged VPS, a good support team will be happy to give you a hand and provide you with tips on what you can do to improve the security of your server instance.
An interesting and affordable example of such hosting is the Hottinger's unmanaged VPS: www.hostinger.com/hosting/vps, which, despite being an unmanaged package, comes with a 24/7/365 days support. A great opportunity to learn the hosting intricacies while being able to contact someone more experienced should you have any questions or doubts regarding your setup.
7. Install Security Plugins and Add-ons
On top of having a firewall, you need to secure the website itself. This is because some content management systems are targeted by hackers much more often than others – including the most popular ones such as WordPress, Joomla! and Magento (with the first of the three leading significantly). Of course, that doesn’t mean that those platforms are less secure. But, because they are much more popular, there are more websites to target and plenty of users who ignore basic security rules.
For example, when it comes to WordPress, you can secure your website by installing three simple types of plugins:
- WordPress Firewall
- Malware Scanner
- A plugin to hide your WP admin panel (or even the whole installation).
As you can see, you can highly increase the security of your website without spending a single penny on it (except for a hosting with good support – but you need a place to host your website anyway, so that doesn’t count). So, what are you waiting for? Go back to #1 and start securing all your web properties now!