protect your website5 Security Fixes You Need Today

Hacking attacks are in the headlines everyday, from Target to Sony Pictures to the U.S. Government. While those have cost billions of dollars in damages they are not typical. The vast majority of attacks are small scale and target websites indiscriminately. It does not matter how small your website is or how little traffic you have, YOU ARE A TARGET.

The reason is robots. The image of a lone hacker in a dark room trying to crack the security of a particular site is out of date. Today’s hacking is done by robots that search out vulnerabilities on thousands or even millions of sites at the same time. Why? Money.

They are seeking out systems that can be broken into in order to setup phishing sites for identity theft and credit card fraud. Or to create spambots that will send out millions of emails from your account until your host shuts down your site or you get blacklisted. They even replace your content with ads for erectile dysfunction pills and fake designer merchandise.

Now are you afraid? Good, you should be. But here are 5 steps you can take today that will substantially reduce your vulnerability (there are no perfectly secure systems, just ones not worth the bother).

Step #1 Survey the Situation

The first thing to do is find out if your site has been compromised. There are a number of services that will scan your site for free. We recommend Sucuri. Go ahead click on the link and test your site right now. We’ll wait for you.

How did it go? If the scan comes back clean except it says “No firewall detected”, you’re good for now and can go through the rest of the steps (we’ll explain the firewall comment later).

Did it say it detected malware or that your site is blacklisted? If it did, stop what you are doing, sign up for their service ($199.99 a year) and have them clean it up. Once they have, come back and follow steps 4 through 5.

Step #2 Update Everything

When all websites just used HTML there was not a lot of concern over security. There was also not a lot things that websites could do. But then we started adding Java and Javascript and widgets and all sorts of interactivity. Each addition made the web more useful but also less secure. Content Management Systems (CMS) like WordPress, Joomla and Drupal really raised the bar on usability and on vulnerability.

To address security holes as they are found, these systems and widgets are constantly updated. Once they are updated the vulnerability is announced which alerts hackers what to search for. If you haven’t updated, they are searching for you.

HTML Websites

If your site is written in traditional HTML or HTML 5 you probably have widgets and add-ons that need updating (like those groovy fly-out menus). Unless you are expert in HTML coding, have your web developer do the updating.

CMS Sites

If your site is created using WordPress, Joomla or Drupal there are things you can do as long as you have Administrator privileges. We will be talking mainly about WordPress since that is the most common.

The first thing to do is find what version of your CMS you are using and what the most current version is. This is usually right on your Dashboard or Control Panel. If you are not using the most current, you will need to update but before you do you need to know if your themes and plugins are compatible. Go to the website or information page for each one and see if they are listed as compatible.

If you have been using free plugins or themes there’s a good chance they have not been updated. You should bite the bullet and upgrade them to paid versions that have a large installed base and are consistently updated. If you don’t, there is a good chance they will break your site when you update the CMS. Also eliminate any plugins that are not needed or not used. Then update each theme and plugin, in WordPress you can do this from Updates under the Dashboard menu tab.

You can now update the CMS the same way. Then test to make sure everything is working. Pay particular attention to things like contact forms and galleries. If you can, choose to update things automatically so you stay up-to-date.

Step #3 Limit Access

The fewer users who have access to your administration functions the better. Go to the page that lists your users. You may be surprised to find dozens or hundreds of users you didn’t know about. Delete any fake users and downgrade the user role to the lowest level that works. If you have people adding content to the site make them editors. That way they can add content without having access to administrative functions.

Next get rid of “Admin” as a user. Setup a new administrative user account with a different name. You can then delete Admin and assign the content to the new user. This makes it harder for hackers to do a blind attack on your site.

Change all passwords for all users to “Strong”, usually 15 – 20 random characters. Use a password manager to generate and store your passwords. Do not write them down on a sticky on your monitor.

You will need to secure your .htaccess file. If you don’t know what that means have your web developer take care of it.

For WordPress the default code is something like this:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Replace it with:

# BEGIN WordPress

RewriteEngine On
RewriteBase /

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?yoursitename.com [NC]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
 
RewriteCond %{REQUEST_URI} ^/(.*)?xmlrpc.php(.*)$
RewriteRule .* - [F]
 
RewriteCond %{QUERY_STRING} environ [NC]
RewriteRule .* - [F]
 
RewriteCond %{REQUEST_URI} ^/wp-content/uploads/(.)*.php
RewriteRule .* - [F]
 
RewriteCond %{QUERY_STRING} wp-config.php
RewriteRule .* - [F]

RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]


# END WordPress

In the code change

yoursitename.com

to match your website. Don’t do this if you are uncomfortable, a mistake in this file can really mess things up.

Step #4 Install Security Software

Now that you have your site secured the best way to keep it that way is to install security monitoring software. For WordPress sites the two main choices are Sucuri and Wordfence. Each offer both free and paid services.

The free versions both will scan your site for changed files, malware and login attempts. For a free solution we tend to use Wordfence. It is simple and works well. If you use the paid version of Sucuri and something goes wrong, they fix it as part of your subscription.

Step #5 Backup

Back ups might not seem like a security issue but they are very important. If there is a successful breach of security a good backup from before the breach can get you back up and running. There are a number of plugins for WordPress that can automate your backups, we use WP Backitup.

There are also online services that will handle backups including Sucuri. And don’t forget to check with your hosting provider. Most backup sites on a regular basis.

BONUS Step #6 Cure Your Headache

Web technology changes everyday. You probably don’t have the time, or interest, in keeping up with technical details that can cause you all sorts of grief.

Call Slant Communications at 616.886.189 or contact here.

We will evaluate your site and help you decide what you do and don’t need. When things change it will be our headache, not yours.