This is undoubtedly a great thing; however, an unfortunate side effect is that now there are many webmasters who do not understand how to make sure their website is secure, or even understand the importance of securing their website. In this post, I want to share with you the top 10 steps all webmasters and website owners can (and should) take to keep their website secure.
1 – Update, Update, Update!
This is something we cannot stress enough here at Sucuri. Countless websites are compromised every day due to the outdated and insecure software used to run them. It is incredibly important to update your site as soon as a new plugin or CMS version is available. Most hacking these days is entirely automated. Bots are constantly scanning every site they can for exploitation opportunities. It is not good enough to update once a month or even once a week because bots are very likely to find a vulnerability before you patch it. Unless you are running a website firewall, you need to update as soon as updates are released. If running WordPress, I personally recommend the plugin ‘WP Updates Notifier‘. It emails you to let you know when a plugin or WordPress core update is available. You should also follow @sucuri_security on Twitter to get notified about important updates and security warnings.
2 – Passwords
Working on client sites, I often need to log into their site/server using their admin user details and am frequently disturbed by how insecure their root passwords are. It’s scary that I have to say this, but admin/admin is not a secure username and password combination. If your password appears in this list of most common passwords, it is guaranteed that your site will be hacked at some point.
Even if your password is not on that list, there are a lot of misconceptions about “strong” passwords. The lax requirements on most password strength meters are part of the problem. Our friends at WP Engine have put together some interesting research that debunks many of the myths surrounding passwords.
When it comes to choosing a password there are 3 key requirements that should always be followed (CLU – Complex, Long, Unique):
COMPLEX: Passwords should be random. Do not let someone hack your account just because they could find out your birth date or favorite sports team. Password-cracking programs can guess millions of passwords in minutes. If you have real words in your password, it isn’t random. You might think you are clever for using leetspeak (letters replaced with characters L1K3 TH15) but even these are not as secure as a completely random string of characters. Hackers have compiled some seriously impressive word lists for cracking passwords.
LONG: Passwords should be 12+ characters long. I know some in the security community would scoff at a 12 character password and insist that passwords should be longer. However, when it comes to online login systems, any system that is following simple security guidelines should limit the number of failed login attempts. If there is a limit on the number of failed login attempts, a 12 character password will easily stop anyone from guessing it in just a few attempts. Having said that, the longer the password, the better.
UNIQUE: Do not reuse passwords! Every single password you have should be unique. This simple rule dramatically limits the impact of any password being compromised. Having someone find out your FTP password should not enable them to log in to your email or internet banking account. Contrary to popular belief, we are not as unique as we believe ourselves to be; if you can randomly generate the password, even better.
Now I can already hear you ask, “how am I supposed to remember 10 random passwords which are all 12 characters long?” The good news is you don’t need to remember them all, and in fact, you should not even try. The answer is to use a password manager such as “LastPass” (online) and “KeePass 2” (offline). These brilliant tools store all your passwords in an encrypted format and can easily generate random passwords at the click of a button. Password managers make it much easier to use strong passwords than it is to memorize a couple of decent passwords.
Yes, these password managers can present challenges and a possible weak point. Just this week LastPass announced a compromise. Not all compromises are the same though (more on this another time).
3 – One Site = One Container
I understand the temptation. You have an ‘unlimited’ web hosting plan and figure why not host your numerous sites on a single server. Unfortunately, this is one of the worst security practices I commonly see. Hosting many sites in the same location creates a very large attack surface.
For example, a server containing one site might have a single WordPress install with a theme and 10 plugins that can be potentially targeted by an attacker. If you host 5 sites on a single server now an attacker might have three WordPress installs, two Joomla installs, five themes and 50 plugins that can be potential targets. To make matters worse, once an attacker has found an exploit on one site, the infection can spread very easily.