Most of the time attacks on your website are by robots trawling the web for known vulnerabilities. Since these are known there are some simple steps you can take to make your company’s website more secure.
This does not make your website more secure but it should be top of your list nonetheless.
Despite your best efforts to secure it your website may still be compromised for reasons outside of your control. If you are unable to repair the damage caused by an attack you need to be in a position to restore a working version from a backup for several important reasons:
- Your website can be fully operational again in minutes
- If your website is compromised in such a way that other websites on the same server are affected you risk having your website removed until the problem can be resolved
- Your developer can compare a clean backup and the damaged website to understand how your website was compromised and prevent the problem from happening again.
Here’s what to consider when putting together a backup plan:
- What to back up – If your website is based on a content management system (CMS) such as WordPress, Drupal or Umbraco you will need to back up your website’s database(s) as well as the website files
- Frequency of back up – This is largely dependent on how often the information on your website changes and what it consists of. As a guide, the database of an eCommerce website should be backed up hourly to avoid losing order information. For most other websites a nightly backup should be sufficient.
- How to implement your backup plan – If you’re unsure about this step then speak to your developer / hosting provider for help in implementing a backup plan .
- How to initiate your backup plan – You may already have a backup plan in place but you need to know how to initiate it. Will your developer handle this for you?
The Right Username
If you use a CMS you will use a username and password to log into it. Choosing the right username is a simple way to help prevent attacks.
- Avoid names a robot might think of e.g. ‘admin’, your company name, your website’s name
- If such names exist, remove / change them
- If your content editors’ names are displayed alongside their posts/pages they should avoid using their name as their username. For example Sam Smith would be more secure using a nickname e.g. ‘smithy’ than ‘Sam Smith’
Secure Password Passphrase
In its simplest form a passphrase is a password that consists of a phrase rather than a single word. The main benefit is the inherent number of characters offered by a phrase which makes brute force attacks much less likely to succeed. Additionally, dictionary-based attacks (where passwords are compared to words in a dictionary) are less likely to find a passphrase than a password. The same rules that apply to passwords apply to passphrases. Here’s how to create one:
- Aim for at least 12 characters
- Avoid well known phrases
- Include special characters, mixed case and numbers in your passphrase
- Don’t make it so hard that you have to write it down to remember it
- Avoid using the same passphrase in more than one location
Here’s an example passphrase: B0!lPastaF0rT3nM!nut3s (BoilPastaForTenMinutes)
Turn off FTP
FTP (File Transfer Protocol) is a simple protocol used to allow uploading/downloading of files to/from a website. It is insecure because it sends all data (including your FTP account’s username and password) in plain text. If this data is intercepted your website can be compromised. If you are currently using FTP consider the following:
- Look for alternatives such as FTPS or SFTP both of which offer encryption of the information sent/received
- If you only have FTP available to you then look for ‘locking’ tools which allow you to disable FTP access until it is unlocked
Some platforms offer security plugins to help determine vulnerabilities or advise you of changes to files and unauthorised attempts to access your website.
- Ask your developer whether there is anything available for your website
I hope you have found this guide useful, if you have any queries please get in touch.
Guest post by Conrad Goodenough
Conrad works for Broadbean Digital where they provide fresh, bespoke websites and design services with the end user in mind.