The mantra of any good security engineer is: ‘Security is a not a product, but a process.’ It’s more than designing strong cryptography into a system; it’s designing the entire system such that all security measures, including cryptography, work together.
Keep your Content Management System (CMS) up to date
Programming content management systems do not stand still. They evolve as bugs and loopholes are discovered and fixed. This is why it is important to update to the latest version of your CMS whether that be WordPress or Joomla or some other of the plethora out there. This also applies to any plugins or theme files that you are using in the CMS as well. For sites that Graphitedge look after this happens once a month – usually the 15th of the month. This ensures that the CMS, plugins, and theme are all updated around the same time.
The best process to use:
- Back up your site and database in case, you have to roll it back if anything breaks.
- Apply your core CMS update.
- Apply your plugin updates
- Apply your theme updates.
Once this is all done you should see your website like normal. If at any point something breaks then it is just a matter of restoring your site to the previous version with no data loss. The culprit for this process breaking is usually a plugin so read up on the CMS version your plugin works with.
Uninstalling unused features
Whilst we are on about plugins and themes it is always a good idea to uninstall plugins and themes you are not using as they can provide a security leak if not updated. This goes for Themes as well.
Using a Trusted provided of Third Party assets
It is always a good idea to use only trusted third party assets. These are assets like plugins and themes that are vetted by the community, usually within the CMS home site in either a downloads, plugins or themes section. At WordPress.org it has a Plugin and Themes section for you to search for your required assets. At Joomla.org it has an Extension section which holds both plugins (or extensions) and page builders. Themes for Joomla tend to be from other providers.
When getting plugins and themes I always look at when they were last updated, how many live installs there are of the item and how they are rated. I also read any comments about the item as well to help make up my mind about which one to use.
Do you use Admin as a username?
It is never a good idea to use the default Admin as a username. I use a randomly generated username that comes when I installed my CMS. I also use a very strong password on this and all accounts that have access to the database. Speaking of which, do you have a separate database user for your CMS to access your database? This also should be something that is not easy to guess and the password should be very strong.
Another way you can protect your login and password is through what is called a two-factor authentication. Two-factor authentication protects users from password reuse, phishing and keylogger attacks. They will use either your phone number or some other means of authenticating that it is actually you logging in.
WordPress has several plugins that you can install onto your installation. The most popular ones are (in alphabetical order) are:
Joomla has had two-factor authentication built in as of version 3.2.0
For other CMS platforms, please check out their documentation and plugin libraries for recommended two-factor authentication.
Limit Login Attempts
If you have recently installed WordPress, it will ask you if you would like to “limit login attempts”. This is always a good idea. This plugin has been part of the automatic install for a while so if you do not have it is a good idea to install it. Another good plugin for WordPress is WMPU Dev’s Defender plugin. This does a good job of stopping and blocking IP addresses from unwanted login attempts. It also gives you a report via email about how many attempts have been done over a period of time and how many IP addresses it has blocked.
As stated above check your own CMS documentation to see what may be available for your website.
HTTPS and other Server related items
With the advent of Google’s algorithm rewarding those who use HTTPS as a protocol it also means that you are encrypting the transmission of your website through the internet. HTTPS is not about securing the website, it is about securing the information that is transmitted by the website especially:
- Personal Identifiable Information
- e-commerce transaction data
- any other sensitive data
So even though HTTPS does not secure your website it does secure the transmissions from your website, and that is a good thing.
An endpoint firewall is a plugin or software that protects your server against attacks. This is slightly different from a cloud based solution as it is loaded directly onto your server. Cloud firewall providers do not necessarily protect your server per se, and in some instances are not as effective.
Conducting a search on the plugins or extension directory provides you with a wide choice.
Whilst we are talking about servers, it is always a good idea to see how your hosting company deals with attacks, how they notify you and any processes they have in place to protect websites hosted on their servers.
So there you have it. It is not all encompassing of what you should really do, and just like you would provide a security system for your brick ‘n’ mortar business or your home, you need to do similar things with your website.
Let's get creative together. Contact us to find out how we can help.