Skip to main content

Web Site Security Principles

I am going to keep adding to this list and I will be write a blog post about each item to explain it more. If you feel like I missed something please comment and I will add it to the list.

  1. Use strong passwords and never repeat your password on another account.
  2. Don’t share your usernames and passwords with anyone.
  3. Set up accounts with the least privileges needed for that account to do what it is intended to do.
  4. Install security patches and updates. Know what is installed on your website and where to find updates for it.
  5. Use SSL and other encryption.
  6. Hash all passwords that your website stores and never store passwords in plain text.
  7. Connect only from a secure computer and network.
  8. Set Up logging.
  9. Back up your website on a schedule. Automate it you wont remember it.
  10. Set up file permissions (Folders 755 Files 644)
  11.  Stay up emails alerts on you chosen CMS and other important software.
  12. Use sftp or ftps not ftp.
  13. Log errors don’t display them.

Basic security steps to secure WordPress

Use a random generated password for your administrator account

Protecting your WordPress administrator account with a secure randomly generated password is a easy step to start making your site more secure. With so many data breaches and dictionary attacks passwords like “eaglessmokey32” are getting easy to crack. Hackers are looking at the way people create passwords so they can become better at guessing them. They create algorithms to guess things like dictionary work + dictionary word + number. This dramatically reduces the amount of time it takes to guess the password above. The only fool proof password is to use a randomly generated password with letters (upper and lowercase ) symbols and numbers.

If you are having trouble with remembering it look into a password manager like KeePass or LastPass. They both give you a secure encrypted place to store your passwords and you can even use them to create your randomly generated password.

Keep all plugins and themes up to date

Lots of security updates are released every day for third party plugins and themes. When ever you don’t update a plugin or theme your running the risk of a hacker braking into your site using that security vulnerability that the developer was so nice to fix for you. If a plugin is freely downloadable this means that hackers can look at that update. Then compare it with the older plugins source code and see what has changed.  This will then show hackers where the vulnerability is located. Once they have found the vulnerability they just have to find a way to exploit it for there gain.

Uninstall all disabled or unused plugins and themes

If you aren’t using it uninstall it. This is easy and one of the most painless things you can do. This protects you from any vulnerabilities being found in those plugins. You aren’t even using them so don’t take the risk. Security is about reducing risk.

Know what your installing

If you find a plugin that you want to use stop! First check is this site ether wordpress.org or the plugins developers site? If it’s not why are they hosting this plugin? How do you know that they are hosting the code unchanged? Always go to a trusted source when downloading a plugin because it only takes one line of code to add a back door. This is especially true when you find a premium plugin on another site. There are lot’s of hackers that buy plugins and then add backdoors to them and put them on third party download sites.

Next look to see if you can find any reviews on the plugin. Most of the time you can just go to http://wordpress.org/plugins/ and find the plugin and click reviews.  Also look at the change log this tells you if the plugin is being updated when problems are found. If the plugin doesn’t have a change log and doesn’t have reviews it might be worth looking to see if there is a better more well know plugin you can use for salving your problem.

Don’t forget to Google the plugin and see if anyone is saying there is any security problems with the plugin your about to install.

Remember every plugin you install increases risk make sure that it’s worth the risk.

Do backups

Not really security but it does pay off to have a backup plan. All websites can be hacked. Yes ALL Websites. Because it is impossible to write 100% secure code there is always a way to brake in. For this reason you have to have a backup of your site. Even if your web hosting provider does backups you have to do your own. Most of the time (i can’t say all the time) backups are stored with your website. This works if you mess up your site but if your website gets hacked one of the first things hackers do is delete your backups. So you have to have backups off line where hackers can’t delete them.