How to ensure your CMS website security in 2019 (the basics)
Cyber attacks are a digital phenomenon that no institution, organization or business in the world is fully immune to.
They could seriously compromise your reputation and discourage visitors from coming back.
Usually, site security is associated with serious investment in protective measures and backend operations which are within the competence of developers.
However, there are a few basic steps you can take on your own to safeguard your website that could save you the cost of hiring a specialist.
With the advance of web development technologies where the focus has been fixed on user-friendliness, it has become really easy for site owners to jumpstart their own site.
Free CMS solutions like WordPress and Joomla have allowed site owners to take almost full control of their web presence.
Thanks to the plethora of ready-made themes, point-and-click customization options and useful plugins on offer, the learning curve for creating a website has shrunk considerably.
Essentially, it has become really painless for site owners to launch and manage their own web presence with ease.
However, when focused on building their own website and making it successful online, site owners may often overlook a critical component – website security.
The web environment is full of smart abusers and ever evolving threats.
Ensuring a safe experience for visitors must be a top priority for site owners.
Luckily, there are some easy-to-understand options that could help site owners take control of site security for themselves.
Keep your passwords secure
The first and foremost step you should take to keep the doors of your website well locked is to create passwords that are strong enough to be hard to break.
Create long & complex passwords – the best proven formula for creating a strong password is to create a long password, (a minimum of 8 characters and most preferably – longer than 12 chars), and to use an elaborate mix of upper-case and lower-case letters, numbers and special characters.
Use a unique password for each login – every single password you have (e.g. for admin area, for database, for email, etc.) should be unique.
The handiest way to keep unique passwords is to use a password manager (such as LastPass and Sticky Password) since it stores passwords in an encrypted format.
Use random combinations – according to security best practices, you should avoid using easy-to-guess information like your birthday or dog’s name in your password. Password-cracking programs can guess millions of passwords in minutes.
So, if a hacker gets other information about you, it will be child’s play for him to crack your password.
Change the “admin” username
During the installation, CMS’s set up an ‘admin’ username by default. If someone wants to access your admin area and your username is still the default one, the attacker’s job is already half done.
To fix that, once you have installed your CMS, you should create a new user with admin privileges.
You can see how to do that for a WordPress site from our blog. The procedure for other CMS’s is similar.
Enable 2-factor authentication (2FA)
With 2FA enabled, aside from the standard username/password login submission, you will be asked to authenticate yourself in another way as well.
The most common two-factor authentication method is the phone-based verification, be that via an app or a text message.
It’s important that you enable 2FA for all accounts with admin privileges.
Most popular CMS’s offer 2FA plugins. Check out our post on the best two-factor authentication plugins for WordPress if you use the popular blogging platform for your site.
Install safe CMS extensions
Thanks to their extensible nature, CMS’s offer a variety of add-ons and extensions that can complement a website with virtually any functionality you could imagine.
However, extensions could also hide security risks because of their open-source code being equally accessible to both developers and malicious hackers.
That’s why, you should be very picky about the extensions you use.
Here are a few proven ways to assess their safety:
The extension should be from a legitimate source: always download your plugins, add-ons and themes from trusted sources.
Getting downloads from shady sites or installing free pirated versions could infect your installation with malware.
Тhe extension should be regularly updated: look for plugins which are maintained by their authors and get regular updates.
If the last update date for a plugin was more than a year ago, that should ring an alarm that its author has stopped supporting it and it is left prone to security breaches;
The extension should have a good download rating: pay attention to а given extension’s number of downloads and the feedback it has received.
A plugin with a high install count and positive reviews would point to a trusted developer who cares about security.
Install security plugins
CMS’s support a wealth of security plugins that can help you create a basic level of protection against various hacking attacks.
So, depending on the CMS you are using, you could take advantage of the following security plugins for free:
- WordPress plugins: Sucuri Security, Bulletproof Security, Wordfence, iThemes Security;
- Joomla plugins: Antivirus Website Protection, JHackGuard;
- Drupal plugins:LoginSecurity, Security Kit, SpamSpan;
- Magento plugins: MageFirewall Security,Watchlog Pro;
- PrestaShop plugins: Security Lite
Keep your platform up-to-date
Ensuring you keep your CMS site updated is crucial for keeping your site live and kicking.
Thousands of websites are left vulnerable to outside attacks and security breaches due to outdated and compromised software.
Due to their open-source nature, CMS’s undergo daily improvements within the dev community.
This means that new versions of the CMS itself and its security plugins are released on a regular basis to patch a given vulnerability or enhance the security features.
So it is crucial that you keep up with all new versions and update your site as soon as an update is released.
To do that, you should subscribe to the mailing list or RSS feed of your CMS provider to get the latest update news.
Also, the available system updates are made visible to you on logging in to your CMS admin area.
Scan your website on a regular basis
Once your website is up and running, it’s important that you make sure it is safe all the time.
The best way to do that is to regularly perform web security scans to check for any website vulnerabilities.
You should run web scans on a regular basis and most importantly – after any change or addition to your website.
You could use a free tool for that such as SiteLock and OpenVAS.
NOTE: Web security scan tools will not be able to detect all the possible security flaws on your site. For a more in-depth analysis of your website, you should turn to a security specialist.
Keep backups of your datа
One of the sure-fire ways to protect yourself on your own is to keep a recent backup of your data.
In contrast to the other, preventive steps mentioned above, backups will help you recover your website in the event of a security incident.
So even if you have the industry’s best protection in place for your website, you are not fully immune to damage and backups are the best way to save your data.
Here are the most effective backup practices to keep in mind:
Off-site backups – keeping your backups on an external server will make you invulnerable to attacks targeted at your website;
Automatic backups – setting automatic backups is the best way to ensure you do not forget to backup your data. For that purpose, you can use a backup solution that can be scheduled according to your particular website needs.
Weekly or daily backups – backup your website manually, either daily or weekly, to make sure you keep the most recent versions of your data and that you can recover data from a point before the attack occurred;
Use an SSL certificate for HTTPS encryption
Unlike the measures mentioned above, using an SSL certificate will not improve your website security, technically speaking.
However, thanks to the additional layer of encryption that it provides, it is crucial for inspiring trust in your website among your customers.
An SSL certificate secures the transfer of information like credit cards, personal information, and login details – between your website and the server.
Thanks to the HTTPS protocol it uses, SSLs assures users that no outsider could intercept or change the content that is exchanged between them and your website.
Due to the trust factor they provide, SSLs have become a must for all types of websites recently.
Now visitors are alerted by major browsers if a website does not use HTTPS.
Moreover, Google has already confirmed prioritizing HTTPS websites in search rankings which has turned SSLs into an important SEO resource.
And last but not least – choose a reliable web hosting provider
Your web hosting company should be your trusted partner in ensuring top-level security for your websites.
While keeping your website software safe from harm is your own responsibility, it is within the web host’s purview to safeguard the environment where your websites are located via a strict security policy.
Make sure your host is dedicated to keeping your website well protected from all actual security threats and that it backs up your data to a remote server.
Also, go for a host who offers technical support around the clock.
At ResellersPanel , we have created a set of custom security rules to help protect your website from all common security threats.
Here is а list of the basic measures we’ve taken to protect your websites:
Regular security upgrades and patches – our administrators are always up to date with the latest software upgrades and security patch releases so as to ensure that our servers are well immune to all “modern” threats;
A ModSecurity firewall – this effective, anti-hack firewall is activated on all our servers. It is configured to automatically prevent all common URL forgery or “brute force” attacks and forum spamming attempts targeted at your customer’s websites and applications.
By default, ModSecurity is enabled for all hosts within a customer’s account.
However, users can control its behaviour from the ModSecurity section of the Control Panel.
Browsable daily offsite backups – thanks to this option, which is readily integrated into the Control Panel, users can now restore their sites with a click of the mouse; this gives users full control over their content in critical moments allowing them to restore their content within minutes instead of having to wait for an admin to respond.
Easy to install SSL certificates – on our platform you can make use of both free and regular SSL certificates which users can easily install for their websites from the Control Panel;
Educating yourself about the basics of online security and ensuring your website is protected against hackers is essential for keeping a healthy online presence in the long run.
If you are just starting your new website, then this article has come right on time for you.
If you’ve already launched your website and have not yet implemented any of the steps mentioned in this post – you need to get going and stop procrastinating over vital steps like these.
You can never be sure that the new cyber-attack that hits the digital security news won’t hit you too.
Because, as reality shows – small business sites are just as susceptible to cyber crime as big companies.Originally published Monday, November 18th, 2019 at 2:46 pm, updated November 18, 2019 and is filed under Online Security.
Tags: joomla, wordpress plugin, modsecurity, cms security