How to secure your website against hackers
Added: 10.03.2014 23:26:29 Last updated: 29.12.2016 13:58:21
We constantly witness websites being hacked. Most of these cases could have been avoided by following the below points. We recommend that you always follow these recommendations to avoid getting hacked.
- Update scripts as soon as a new version is published
If a new version of a script you have inserted in your website is published, you should update it to the latest version as soon as possible. Outdated scripts are very often the root cause of websites getting hacked. In these cases, the hacker normally gains access to all of the your files in your account, so it is very important to keep scripts updated.
REMEMBER: This also applies to components/modules for scripts. A typical script that has these is Joomla. If a component/module is outdated, the consequences can (and often will) be just as serious as if the script is outdated.
TIPS: If the script provider has a mailing list for notifying about new versions, you should subscribe to it.
- Uninstall unused scripts/components/modules
The things you do not use should not be installed. They only pose a security risk, especially if you don't keep them updated.
- Be critical about what you install
- are not used by many
- appear not to have been updated for a long time
- are recently published
- do not appear to be reputable
should not be installed. They often include insecure (and poor) code.
- Install security components/modules
Some of the most well-known scripts have components/modules that can help strengthen or check your website security. Installing these can improve your overall website security.
- Do not use default values when installing/using a script
When you install a script, often default values for administrator user names and prefixes for database table names are used. Instead of using admin as a user name, you should set it to something different, such as your first name/nickname.
If you set another prefix than the default one for your database tables, this will prevent a lot of attacks. The prefix is a text that will be included as the first part of all names in the database. If you specified prefix_ as the prefix, the table name will then be prefix_table.
- Activate CloudFlare if you do not use https on your website
CloudFlare automatically blocks a lot of attacks, in addition to offering a series of other improvements to your website. The guide Using CloudFlare on your domain via cPanel explains how to activate CloudFlare. The Pro version of CloudFlare gives added protection and will reduce the probability of you getting hacked, but this version costs money, and you will have to upgrade to this version through the CloudFlare web pages.
Note that you will need the Pro version of CloudFlare if you are using your own SSL certificate and https (but you can will be able to use CloudFlares free SSL without upgrading).
- Use passwords of at least 8 characters that contain both lowercase and uppercase letters, numbers and special characters
If you abide by the above point, it will be highly unlikely that anyone can guess the password or find it during an attack.
This point and the below points are applicable to all of the passwords you might have that are related to services provided by us (e.g. for email accounts and cPanel).
- Do not store passwords in clear text on your PC, in your email or on a physical storage media such as paper.
If your local machine is hacked and you have clear-text passwords on it at all times, you will be hacked repeatedly, if the hacker has discovered this. The same is true if you have the password on paper, so that others can read it. It would be best to learn the password by heart.
- Change passwords regularly
This will render it more difficult for hackers, and if a hacker has got hold of a password, he will then lose access to the website.
- Do not grant too extensive permissions for files/folders
If you grant too extensive permissions for files/folders, you may also suffer a hacking attack. In around 99% of cases, files should have 644 rights and folders 755 rights on our servers.
Installation guides for scripts often say that files/folders must have 777 rights set. This is not the case for our servers. You must set the rights as described above.
- Ensure you have sufficient protection on your local machine
If your PC is hacked or infected by a virus, this may lead to:
- passwords for our services being captured
- files uploaded via ftp being infected by virus or code that will attack the browser of visitors to your website
You should have necessary protection in the form of an antivirus program and a firewall on your PC or the network you are on.
- Protect areas of your website that visitors do not need access to with a password
The parts of your website that visitors do not need to access can be password protected for increased security as shown in the guide Password protecting a folder in cPanel.
- Block access to important files
Files like php.ini that can contain information which will make it easier to hack your website should not be accessible via the internet. You should block the access to such files through the use of an .htaccess file. To block access to the php.ini file in a folder, you can place the following code in the .htaccess file:
deny from all