12 Best Ways to Prevent Your Website from Getting Hacked

by Shams Tarek 1,208 views0

Google detected nearly 800,000 compromised websites last year—with roughly 16,500 new sites added to this list every week from around the globe. Cyber attacks are carried out for any number of reasons: data theft, negative SEO backlinking, denial-of-service (DoS), or even personal glory, to name a few.
Fortunately, the strongest website security measures boil down to a few core practices and principles. The following are the 12 best ways to hacker-­proof your website.

12. Enforce strong physical server security.

Source: Torkild Retvedt / Flickr Creative Commons.
Source: Torkild Retvedt / Flickr Creative Commons.

Maintaining strong physical security is clearly a fundamental measure for keeping your website and its data safe. If hosting your own physical servers, ensure that proper physical access and visual surveillance is in place. If hosting through a cloud/web hosting provider, check the vendor’s website to verify that appropriate levels of physical security have been implemented in their data centers and facilities (e.g., biometric access, CCTV, motion detection).

11. Stay up-to-date with software updates and patches.

Copper Band-Aids not included. Source: Becky Stern / Flickr Creative Commons.
Copper Band-Aids not included. Source: Becky Stern / Flickr Creative Commons.

Any third party software products used to power your website—databases, web server software, content management systems (CMS)—are subject to continuous patching and updates from the vendor. Be sure to stay on top of these critical updates, especially for CMS packages like WordPress or Drupal. Unpatched software is a leading cause of outages and data breaches.

10. Use strong passwords.

Source: Automobile Italia / Flickr Creative Commons.
Source: Automobile Italia / Flickr Creative Commons.

You’ve surely heard it before, but it’s worth repeating: strong passwords are a critical first line of defense against unauthorized access to your website and underlying systems. Typically, a strong password:

  • consists of at least 8 characters
  • does not contain your username, real name, company name, a complete word.
  • is different than previously used passwords
  • contains both uppercase and lowercase characters, numbers, and symbols.

9. Make sure any unused website resources are removed, if possible.

Source: Linux Screenshots / Flickr Creative Commons.
Source: Linux Screenshots / Flickr Creative Commons.

Un­used resources such as scripts or CMS plugins should be removed, as they could potentially be exploited by cyber attackers for gaining access to your website. Extraneous files (images, documents, text files) and databases should be removed if not in use.

8. Implement Google Webmaster Tools on your website.

Source: Searchengineland.com.
Source: Searchengineland.com.

Google Webmaster Tools (GWT) will alert you immediately if your website is infected with malware. Additionally, since a compromise will likely result in negative SEO, monitoring your website’s performance with GWT will alert you of any potential security issues.

7. Configure GWT to send you automatic email notifications when issues are detected.

Source: Google Webmaster Tools.
Source: Google Webmaster Tools.

By using GWT’s automatic notification feature, you will receive email alerts when

  • your website is being attacked by malware
  • your pages are not indexed
  • you have server connectivity problems
  • you get a manual penalty from Google

6­. Use the appropriate website scanner tools to diagnose your website.

Source: blog.sucuri.com.
Source: blog.sucuri.com.

Free and low-cost tools exist for spotting vulnerabilities and security gaps in your website’s security: SUCURI, Acunetix, and Qualys, to name a few.

5. Use encryption for your web server’s files and databases.

Source: Linux Screenshots / Flickr Creative Commons.
Source: Linux Screenshots / Flickr Creative Commons.

These mechanisms ensure that data—even if stolen by cyber attackers—is rendered useless without possession of the appropriate digital key(s). Encryption should be used in critical web server files as well as databases.

4. Ensure that software version numbers and error messages are not visible by users.

Source: blog.qualys.com.
Source: blog.qualys.com.

Website error pages usually display sensitive information about the web server, operating system, file paths, and more by default. You should therefore configure web servers and underlying components to never reveal this data to visitors.

3. Use two-factor authentication for your website’s login(s).

Source: Jonathan Molina / Flickr Creative Commons.
Source: Jonathan Molina / Flickr Creative Commons.

Two-factor authentication (2FA) is an extra layer of security that requires not only a password and username, but also data provided from a physical object in the user’s possession. Many CMS packages like WordPress and Drupal support 2FA.

2. Disable any file upload capabilities.

Source: code.msdn.microsoft.com.
Source: code.msdn.microsoft.com.

Allowing users to upload files poses a significant security risk to your website. If file uploading is necessary, be sure to implement filters and controls that only accept certain file types uploads from users.

1. Implement SSL on your website.

Source: Sean MacEntee / Flickr Creative Commons.
Source: Sean MacEntee / Flickr Creative Commons.

Secure sockets layer (SSL) is not only critical for website security—Google will penalize your website and its SEO ranking for not using it. Because it encrypts all web traffic between the web browser and website, SSL prevents login credentials and other sensitive data from being usable by hijackers.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>