In today's economic climate the issues of security have come to the forefront as web site hackers and computer system attacks grow globally. In the past month or so I have been writing a series of articles on various aspects of website strategy and how to address your website content to boost your online business.
Today I asked myself, if the website we are running has weakness in terms of security and performance, then what is the benefit if our website has educated content and in the same time we don’t control site’s access very well?
There are many ways a website can be hacked or attacked. Here are some actions that website owners can take to protect their sites.
Unusual visitor numbers
In your hosting control panel, you can see logs analyzing website visits. For instance, you can check the one month how many of real visitors to a single page you have on your website. We have to make sure those visits are recorded in Google Analytics and count as page views in AdSense reports as a real visitors not fake.
As an admin or a person running my own website, I have to make sure those visitors are not generated by spam softwar. As they could be using your address to send out spam, or trying to gain access. In Google you can find IP address lists with locations, and sometimes listing their reputation. In the hosting control panel there is a facility to deny specified IP addresses which can block that IP. But you can also block a range of addresses. That is wise because a bad IP can be just part of a range.
Passwords
Years ago it was common to set passwords as memorable words. But these are easy to guess, like names, birthdays, places and keywords from the website. These should be replaced by more secure passwords. Use at least 8 characters and include upper and lower case letters, numbers and symbols (@#$% etc.). These can still be made memorable by taking a word and separating letters with numbers and symbols, or replacing letters with numbers and symbols. E.g. Yasser can be 6A55E$ but it would be even more secure if it was just a jumble of characters.
Latest software version
Always update any website building software (such as WordPress or Drupal) to the latest version. These software updates can be frequent and will close any loopholes that hackers have found.
Files that get hacked
If your website is found to be sending out spam emails it could be that some hacker has got lucky, guessed your password and altered one or more of the website files to automatically send spam. This can cause your host to suspend your website.
To fix that you should change your password and using an FTP program or File Manager find which files have been modified by listing them in date order. Alternatively you can just reload the whole website from the copy on your computer, or from your web designer. Or you can reinstall your CMS such as the WordPress or Drupal and import the exported MySQL database.
Insecure Forms
Protect your site from hackers trying to guess a password by coupling login name and password for validation. Have the response say something like "Either the name or password is invalid" so that the hacker doesn't know which one is incorrect.
Add Captcha to your forms. This is a script that requires the visitor to type characters from an image on the form, something an automated spam program cannot do. It stops hundreds of spam emails from the form.
Forms Allowing File Uploads
Limit the extensions of file uploads to those of images, JPG, JPEG, GIF, PNG, etc. to avoid any executable files getting uploaded to your website. Have any uploads go to a folder outside the website.
SSL
To keep any visitor's personal details entered on a form secure, get your host to install an SSL certificate. This should cover any form with sensitive information such as credit card details, or date of birth, driver's license and any details allowing identity theft. This will cost a few dollars per year but will make your visitors feel better about filling in such a form.
ModSecurity
Many web hosts have installed this security plugin to their firewall. This blocks any IP address from which a number of invalid login attempts have been made in a short period. This slows down any nefarious hacker from guessing your username and password to login to your control panel or FTP or email account.
Unfortunately the odd website owner who has a lapse of memory can, by using the wrong password too often, lock themselves out of their own website. Fortunately they can ask their host to unblock them.