WWebsite security depends a great deal on your actions. Yes, your server security is also important, but most modern servers have good security measures. However, your actions can make your website vulnerable. This article is a guide to basic security steps you should take to help keep your website as safe as you can. Nothing online is 100% secure though. But, you can help reduce security issues by following these measures.
- Never give root access to your server. There’s really no reason anyone needs that sort of access unless you are changing hosts. Root access gives someone full control over your server. They can delete your entire server. Instead, see what they need the access for and provide FTP access. If necessary, you can give control panel access but even that usually isn’t needed if they have FTP and database access. If software has specifications that require your server to be updated, have your host do it. If you self host on unmanaged hosting, you should be able to install or update your server on your own. If you can’t, you should choose managed hosting.
- Be careful what you install to your website. Plugins and themes can be great, but they can also open security holes. Make sure whatever you are installing is something you actually need. Make sure it’s got recent updates. Check ratings and reviews.
- If you don’t know anything about development/coding, don’t make coding changes to your site based on various tutorials you may find. Those tutorials could be old code and could open up security holes.
- The above issue also brings this other. Be aware that any custom changes you make to whatever script you use (WordPress, VB, Ghost, etc) is modifying the original code unless using hooks or an API. Modifying core files is NOT recommended. It can make the core script unstable and open to security issues. This is why it tends to void support by the script developer. It can also make upgrading much more difficult and costly.
- Keep your software up to date. Most script developers release updates which can include security fixes. Updates also bring newer code to replace old code that might not be as secure or optimized. If using plugins, keep those updated as well. If your software does not have recent updates, you might want to look for other software to use. Same for plugins and themes.
- Limit the number of people that you allow to work on your site. Try to stay to those you trust. Every person that accesses your server, or adds things to your website, can be a security risk as you don’t know the precautions they may be taking to ensure their access isn’t compromised.
- It’s best to keep your super admin user just for making changes, updates, and administration. We use a second user for posting, interacting with members, and other daily activities.
- When logging in to your admin area, it’s best to do that in a secure browser that you don’t use for general surfing. This helps to keep your admin user from being compromised by nefarious ads, session hijacking, etc. I always set my “safe” browser to also delete all history upon closing and I close it after I’m done in admin.
- NEVER use “remember me” on any site. We remove it from all of our sites as well. It can allow a user’s account to be hacked. Big sites with huge budgets can have security measures to stop that. For those without those budgets, it’s just safer to disable that feature.
