With the recent Sony hacking, cyber security has been on everyone’s mind. However, hackers don’t just target big-name websites; one out of every two businesses, regardless of size, will be attacked through DDoS (distributed denial of service) tactics, according to survey results published by Incapsula.
Thus, whether you have a big ecommerce website or “just a blog,” you should take the following measures to protect yourself against malicious online attacks that could render your website inaccessible and/or unshoppable. Even if you sell nothing, a malware attack could, at the very least, expose your personal information (e.g., credit card info) to hackers. In short, no website is safe from a cyber attack.
To improve your website’s cyber security, here are some simple steps you can take now:
1. Create a log-in sequence with lockout.
Most WordPress sites have you login by inputting your name and password. However, the WP Stealth Login Page plugin adds an extra step to this process by asking you to also input an authorization code below your password.
You may wish to combine this plugin with Login Lockdown, which limits the number of login attempts before locking out a specific IP address for the space of an hour (or longer). Having these plugins in place will help protect your website from password discovery using hacking or brute force tactics.
2. Get SSL’ed.
SSL, or Secure Sockets Layer, is a type of security technology that creates an encrypted link between servers and browsers and is most often seen on web pages as https://. More importantly, SSL results in encryption of any sensitive data that are passed between servers and browsers.
You can place SSL into your WP admin panel (assuming you or your Web host have an SSL certificate) to further deter hackers and bots from cracking into your website. Simply add this code snippet into your wp-config.php file:
define(‘FORCE_SSL_ADMIN’ , true);
Another way to ensure all your web pages carry SSL is to install the WordPress HTTPS (SSL) plugin.
3. Configure your PHP handler.
Many WordPress-based and other websites are programmed using PHP code. As with any code that can be viewed online, PHP is prone to malicious injection or hacking. However, sensitive PHP information can be protected by configuring your PHP handler (a script or tool that executes the PHP script).
One such handler is suPHP, which requires owner permission for executing sensitive information-containing script and/or files. Other handlers include CGI, FastCGI and DSO. suPHP and FastCGI provide better security than CGI and DSO. Please read this useful tutorial if you’re not sure what all these letters mean.
You can change your PHP handler in your Web host manager and/or cPanel by locating your php.ini file and seeing how it is configured. Most managers will give you a choice of handlers to choose from.
4. Set your file permissions.
Another big risk factor for websites is how file and directory permissions are set- or actually not set. In your wp-content area, for example, you will typically have files like documents, images, etc. stored as well as directories containing files. These items will have permission codes associated with them as to who can read (4), write (2) and modify (1) the files. Those individuals are designated as user, group and world. Here’s an example file permission:
As you can see, the permission code values shown above are added up to make a final code like 744. In this case, only the user (you) has permission to write to or modify the file; everyone else can only read that file.
In order to successfully upload your files or create a directory, your browser will typically force you to default to 777, which provides permissions to everyone (including the browser) to enable the install. Most webmasters forget to reset their default permissions, however, pretty much allowing anyone online to come in and execute changes.
One way to find out what your permission settings are is to go to the index (e.g., index.php) area of your Web host manager and see what letters and numbers are being listed. Typically, you can change your permissions there.
5. Create and maintain website backups.
In the likely event that a website breach does occur, you don’t want to end up losing all your files and folders. Therefore, creating and maintaining periodic website backups is a must. Most Web hosts provide you with an easy method to create site backups in the manager area, or they may even offer backups as part of a low-cost monthly service.
There are also plugins that will work with WP to regularly backup your data; one such (and free) plugin is BackWpUp.
6. Use scanning tools to check and improve your website security.
There are many useful and free online scanning tools that will alert you of website security weaknesses or even breaches. One such tool is called Free Scan; it is offered by the company Qualys. A handy scanner plugin for WP sites is Acunetix WP Security.
If you want to try all kinds of free website scanners to learn just where your website could become compromised, this site offers 75+ scan tools that you can use and test to your heart’s content.