Zombie-Proof Your Website
With big-name website hacks in the news and Halloween just around the corner, we thought it time we talk a little bit about website security. Here are 8 basic tricks to zombie-proof your website or blog.
1. Buy Sucuri
We’ve said it before and we’ll say it again. The best defense is a good offense and Sucuri offers both.
They will monitor your website at regular intervals looking for anything that’s out of place or has been hacked. They also offer a firewall proxy to make sure nothing loaded from elsewhere gets hacked and loaded by your website. Finally, IF anything does happen they’ll login and fix it.
Whether you’re using WordPress or your website is static HTML, you want the people at Sucuri on your side when the zombie hordes approach.
2. Use Crazy-strong Passwords
Of all the security tips we can give you, strong passwords are by far the easiest to execute, but the most common mistake. Organizations like SplashData annually publish their list of the worst passwords being used. Year over year, the same passwords top the list. Last year, for the first time, “Password” unseated “123456” as the worse password for 2013.
Take a quick look at the most recent worst passwords list from SplashData and if your password is on the list, you should seriously consider re-examining your life choices changing it.
There are TONS of free, strong password generators. One of our favorites is StrongPasswordGenerator because of its extensive options and phonetic words (i.e. “It’s easier to remember as:”).
When the zombies attack your website, it’s best not to leave the combination 1-2-3-4… Even the walking dead could figure that out.
3. Fire Your First Admin User
Many installers will have you create your first, admin user during setup. That user almost always has the user ID of 1. So zombies can safely assume that whatever user has the ID of 1, that user is an admin and they’ll try to brute-force attack that user account.
The fix is easy.
Simply create another admin user (this time it’ll have User ID of 3 or 9 or 431 or whatever). Then, you could either delete the original admin user (User ID 1) or just demote that user to the absolute lowest access role (in WordPress that’s “Subscriber”).
In either case, you’ve made the zombie’s job considerably harder by removing or demoting the user you created during setup.
4. Harden Your Usernames
Most admins don’t think much about usernames so they tend to be dead-easy to guess. That’s a mistake. Remember, it’s a username/password combination. If your username is “admin” or the name of your website, you’ve cut the difficulty in hacking it in half.
Consider a username that’s totally different than yours, your website, and anything else that’s obvious. Instead, maybe something like “tacobriefcase” as your cPanel username and “appleaday” for your FTP username. Get creative.
Hardening, not just your password, but your username makes it harder for zombies to hack your website. Security experts call this “Security through obscurity”, but I like to think of it as just being as confusing as possible. What’s funnier than a confused zombie? Nothing.
5. Stay Up-to-Date
If you’re using WordPress, updating is as easy as clicking the “Update” link. For static websites, it’s a good idea to remember that all those jQuery plugins and PHP scripts you downloaded from GitHub need to be updated periodically. Sometimes these patches just add new functionality or improve existing ones. But sometimes a hugh security vulnerability has been identified, and the author has fixed it, but it’s still up to you to manually upgrade to the latest version.
6. Set Proper Permissions
I can’t tell you how many websites we’ve worked on that had permission wide open (777). That’s never a good idea, but it’s not your fault. There is tons of documentation that recommend this during install, but they neglect to mention you should re-set these permissions once install is complete.
For example, the WordPress codex recommends setting all file permissions to 644 and all folders to 755.
That’s fine, but that’s a pretty broad-stroked permissions scheme. A better one might look like:
- All folders in
/wp-admin/
and/wp-includes/
set to 775 - All files set to 664
- All folders in
/wp-content/
set to 755 - All files in
/wp-content/themes/
set to 644 wp-config.php
set to 660.
7. Have an Escape Plan
If the zombies DO overtake your website defenses, it’s a good idea to have an escape plan in the form of maintaining regular on-site (for recovery speed) and off-site (for added security) backups of everything (database AND files).
Many website hosting providers already offer automated off-site backups. To manage your own backups for a WordPress site, we highly recommend BackupBuddy from iThemes. For static websites, you could maintain copies of all your files on your local machine and then replicate those copies to an external hard drive you keep in a secure location.
In this way, you could nuke the zombie infestation and rebuild everything quickly from your most recent, pristine backup.
8. Finally, Know Thy Enemy
Sun Tzu said, “Know thy enemy as you know yourself.” Hackers, like zombies, don’t rest. They will keep coming up with more and more elaborate ways of achieving their goals. They don’t care if you don’t have anything worth stealing (or eating). They are mindless, relentless creatures hell-bent on destruction.
Know your enemy. Read website security blogs. Subscribe to security notification emails. Stay in the know and never be caught off guard.
and… have a happy Halloween!
Get the Email
Join 1000+ other subscribers. Only 1 digest email per month. We'll never share your address. Unsubscribe anytime. It won't hurt our feelings (much).
Discussion
Comments are now closed.
Notice: Trying to access array offset on value of type null in /home2/justin/public_html/wp-content/plugins/wp-invoice-quotes/lib/class-wp-invoice-quotes.php on line 413