After suffering a disaster, people will often ask me how to secure their website. Securing your website is not difficult with a few steps, and anyone is capable of mastering these with a little effort.
This post is a follow-on to a previous article about automated website backups with CodeGuard, you can read that article here.
This article will assume you're using a content management system or CMS like WordPress or Joomla or or Drupal. We'll further assume that CMS is WordPress, arguably the easiest to use and definitely the most popular CMS in the world today.
Yes, there are people who still do this even today. Even websites developed by some major companies, I've worked on some of these websites and lo and behold the username is "admin".
It's simply good practice to use a non-generic username when selecting a username for any account. Use just about anything non-generic when setting up your WordPress admin username.
Yes, there are lots and lots of people still using passwords of that ilk. This practice is extremely risky and you're asking for trouble. Your site WILL get hacked, it's just a matter of time. No matter how many passwords you need to remember, there are good practices. An article I wrote will help you to setup strong secure passwords and never forget them, read that article here.
Anyone who's used Windows will know exactly what I'm referring to. There have been some notably serious security breaches and they always seem to be on the rise. The way to keep ahead with Windows and any software is to keep it updated regularly. CMS's and WordPress in particular are no exception. Make sure your WordPress core is updated, this can be done easily by logging into your WordPress Admin and clicking a button to check for updates.
As soon as security breaches are discovered, fixes are created and included in the latest updates. This is a point I can't overstate, make sure your WordPress is always up to date.
This point goes hand-in-hand with the previous one. A prime example would be the recent Yoast WordPress SEO plugin security flaw. This is potentially extremely serious and affects millions of users across the internet.
An SSL certificate encrypts communication between your website visitor and your website. In essence even if the data is somehow intercepted, as it's encrypted it cannot be read. The benefits of this are huge, think visitor passwords, credit card numbers, personal information etc.
An SSL certificate is always a good idea on any website, but on Ecommerce sites or any sites with user or other sensitive data I believe it's mandatory.
Each CMS has specific things you can do to harden it and make sure it's as secure as possible. For WordPress websites a good practice is to password protect your WordPress Admin directory. Find out how to password protect your WordPress Admin and harden your WordPress website in this article in the WordPress Codex.
To sum it all up, no single item listed above is good enough on it's own. A total and effective solution is a combination of each of these points above. Protect your valuable website, your visitors and your valuable data by practicing these simple steps. You and your visitors won't regret your diligence.
