Website security best practices help you to secure your website from hackers. They can take your website down and cause you business losses. Even worse, they can use your compromised site to send spam emails to other people, getting you blocked from sending genuine emails.
Here are 15 tips to safeguard your website. Apply as many guards as you can. You might need technical help from the developers and your web hosting company for applying many of these.
- Keep all the software used by the site, like WordPress, Joomla, Drupal etc regularly updated. Older versions are more prone to hacking attacks. Using SaaS based software helps companies like CTS stay up to date automatically.
- Use complex passwords with more than 10 characters. The password should not include common words. I have got good success with terms from Hindi, Punjabi or other such languages which are not in English dictionary. Include at least 1-2 special characters like #, $ etc.
- Regularly review the list of users who have access to the admin system. May be some people have left but still have an active account. Setting a policy for frequent change of password is a good practice but making this too frequent can annoy users.
- All passwords should be hashed with a random salt (your developer should understand and if he does not, it’s time to change the development team). The password should never be stored in clear text form in the database.
- The data validation on the forms must be done both on the client side (browser) as well as the server side (form processing script). This might look like overkill but it is quite important to validate data at both points.
- The form data must be checked for scripts, executable codes, MYSQL injections and other junk before these are processed and saved to the database. Avoid echoing the submitted data on the thank you page without sanitizing it first.
- Allowing file upload through the form becomes important sometimes. The uploaded files need to be checked for extension and mime-type before being accepted. Rename the uploaded file to a suitable name before saving. This will protect you from much trouble including phishing attacks from your server.
- Try to configure your server software and CMS software to reveal minimum information about the versions and server paths. Most of the server OS can be configured to show generic errors to the users.
- Regularly back up your site with version control. This will allow you to get back on track very quickly after a hacking instance.
- For WordPress sites, security plug-ins like Wordfence, Sucuri can add a very powerful security layer. Similar plug-ins are available for most of the CMS software.
- Even if you have root access on your server, you should use a restricted account to do most of the work except high-level system work. This minimizes the chance of exposing your credentials.
- Avoid using public wi-fi like those at the airport or the hotels to do system level work on your site or the server. If you really need to do this, change the password as soon as possible and practical (from a safe Internet connection).
- Don’t leave old and unused files on the servers even if these are not linked from the main site pages. These files are not updated and these can be hack targets too.
- Using HTTPS is a good strategy. Not only this gives you an extra edge in search engine ranking, it increases the security slightly by encrypting the communication between the user and the server. Don’t think that this alone will make everything secure.
- If your web pages are dynamic and served based on parameters like p=4, try to edit the URL in the location bar and see what happens when you change the value of the parameter. If another page or data can be viewed simply by changing this parameter, you need to add an extra security layer in the form of a hash key.
These tips are not the complete story. There are many more things you can do to make your website more secure but this can be a good beginning.
If you don’t want to get your hands dirty or do not understand fully many of the above tips, you may request professional help.