So the first contact with a client I get on a shift one day is about their site being hacked. This got me thinking about ways to harden a site against attack. I’ve gotten a lot of experience with WordPress recently but I want focus on general site security first.
So first things first:
No matter what you do, short of taking your site completely offline (then again what’s the point of having a site if no one can see it?), will make you invulnerable to attacks.
The best you can do is get rid of as many vulnerabilities as possible, the fewer vulnerabilities the less of a chance that an attacker will find an exploit in your account.
Now that we’ve accepted that the danger will exist no matter what we do, lets talk about how to minimize it. I’m going to approach this from doing the simplest things first going to more complicated.
1. BACK YOUR SITE UP!
Yes I am in fact yelling this one, this needs to be done. Even if your hosting company provides backups, you still need to make your own just in case. As well you should download your backups and put them in a safe place. The reason this is part of site security is simple, if your site become compromised it’s a lot easier to just replace files with known good components (or even the whole thing) than to back track and repair everything.
2. USE STRONG PASSWORDS!
The old joke: “The password is: ‘password’ it’s so obvious that no one would guess it!” Guess what, it’s obvious but if it comes down to a brute force attack (that’s where different passwords are tried over and over) then “password” will definitely be on the list. Strong passwords use a combinations of upper and lowercase letters, numbers, and symbols. You could do something completely random, but why make more work for yourself? Just because it’s called a pass word, doesn’t mean it has to be A word. My pass-words are always pass-phrases. You could set it to something like ThisIsMyPassWord. Now that has upper and lower case letters, but we can also add numbers to it: Th1sIsMyP45sW0rd. That made it even more secure, but then we can also add symbols to it so it looks like: Th1$I$MyP45sW0rd. A note here: if you notice I didn’t make every instance of s the same one was swapped with a 5 and two were swapped with $. Being unpredictable is also a very powerful ally.
3. Keep Your Software Up To Date
This one gets overlooked more times than I care to go into. Yet this is one of the simplest things you can do. I know WordPress, Joomla, and Drupal have built in update features. These packages will let you know that a new update is available and they go out and download the updated software for you.
So really there’s no excuse for not doing this, enough said.
Related posts:
1 ping
All Tech – No Logic » Blog Archive » Backups! Backups! Backups!
April 18, 2011 at 9:26 am (UTC -6) Link to this comment
[...] I’ve pointed out in the lengthy article on site security (see: http://alltech-nologic.com/2011/02/hardening-site/) backups are really the primary fallback in the case of [...]