Web security is an important aspect of website maintenance that a lot of webmasters don’t give enough attention to. Even though the web hosting service provider does try to provide the best quality of security for its clients, there is a lot that you can do as a webmaster to improve your website’s security. A chain is only as strong as its weakest link and if your website’s internal security is not up to date then it won’t matter how strong your hosting service provider’s security is. Here are top 10 security measures for webmasters.
Never use simple passwords for your FTP login. Never use personal information such as nick names, date of births, social security number etc. to form a password for your FTP login. If a hacker gets your FTP password then your complete website is compromised and no amount of security from the server host can stop the hacker from misusing your site. Try to use random and strong passwords and remember to change them at least once a month.
The applications and plugins that you use on your website need to be updated regularly. A lot of webmasters install an app and then forget about it. An out of date plugin or app can be the weak link that hackers use to get into your website. Make sure to update all your applications and plugins whenever new updates come along. Stay subscribed to their newsletters so you know whenever a new update is available.
Hacking a website is not just about spreading malicious code but can also be about spreading spam. Spam comments are not just nuisance but also link to malicious sites and can give a bad reputation to your website. Anti-spam plugins will help you stay sane as you won’t have to moderate thousands of spam comments daily.
SSL or Secure Socket Layer certificates are necessary if you are operating an eCommerce website. SSL certificates ensure that your client’s data is encrypted and secured. Without an SSL certificate, not only will you risk losing secure data of your clients and earn a bad reputation but even more likely is that you will lose many potential clients who wouldn’t like to do a transaction that is not secure.
.htaccess file is the most important and most powerful file which can control the complete behavior of your website and if hacked can be used to redirect your entire website to a different one. Hackers will inject a simple redirection code once they get access to the .htaccess file which will redirect your entire website to a malicious website. To protect this file don’t allow complete access to anyone except yourself.
Email accounts are much easier to hack as a lot of people don’t use too strong passwords for these. This can be a potential weak point that can lead to a hacker getting access to other passwords that are stored in the form of emails or they can even request a password change that is verified through email. So protect your email accounts just as strongly as you protect your FTP passwords.
If you have a static IP at home or work which you use to access your website files, you can set up IP restrictions to certain private parts of your website by adding a simple code to the .htaccess file. This will make sure that only you can access these files from only that particular IP address. This is a great way to deny access to any possible hacking attempts.
Making backups of your website is important and almost all webmasters know this. But they don’t do it often enough. The rule of thumb is to do it as often as you can. Every time you add new content to your website you should do a backup. You can get plugins that do this automatically after certain periods. Although the hosting service provider will also provide backups to your website as part of their service but it is better to make your own backups as well.
A lot of times CMS type applications require 777 permissions to execute few tasks. 777 permissions mean the permission to read, write and execute files of a particular directory to the owner, group and public. You might need to give such permissions temporarily from time to time but if you forget to change them afterwards then it means that your directory or file can be accessed by anyone in the world and they can write malicious code easily. It’s like having a locker for your money but then leaving it unlocked. This is a very common mistake made by webmasters. The recommended permission settings are 755 (owner can read and write and execute while group and public can only read and execute) for directory permissions and 644 (owner can read and write and group and public can only read) for file permissions.