Many Web admins fail to make websites secure, because they simply don’t think about Internet security. A few simple measures can protect your website from brute force attacks and email account hacks that turn all the links on your website into spam ads, triggering Google’s dreaded “This site may be compromised” warning.
Hackers gain access to websites through a number of different pathways. They often employ sophisticated bot-nets and smart algorithms to try the most likely passwords first before moving on to an easier target. Strengthening your log-in password is a good start, but further measures are needed to protect any SSL payments or remote SSH access your site provides.
First Steps to Make Your Website Secure
A strong log-in password isn’t always enough. Many sites use two-step verification to remove any possibility that a user is actually a malicious third party. This method can be somewhat cumbersome to implement and use in practice, but many Web hosting services offer two-step verification plugins as a free feature of their service.
Two-step verification works by prompting users for log-in credentials and then verifying their account by sending an email or text message before allowing them to log in. If you need to tighten security beyond the standard server security updates or you don’t trust your Domain Name System, two-step verification can provide peace of mind.
Admins remotely logging into a server use Secure Shell (SSH) protocol, which is configured to a standard port by default in the operating system, according to RackAid. SSH protocols one and two are generally enabled by default, but protocol one opens up security vulnerabilities. You can avoid SSH attacks by changing the port number, disabling protocol one and disabling automatic root login. The process for editing these settings varies between operating systems, but in Linux, the SSH configuration file is located in /etc/ssh/sshd_config.
Related Resource: Virtual Private Server
Further Steps to Make Your Website Secure
Linux, Mac and Windows servers all receive automatic updates on a regular basis. These patches fix security vulnerabilities as they’re discovered, but sometimes the weakness isn’t located on your server. Many hackers troll DNS services looking for a way to steal account information from hundreds of accounts all at once, according to Information Week. Before subscribing to a DNS, do your due diligence to ensure that it takes security seriously, and maintain a close relationship to stay updated on security measures.
Third-party Web hosting services, such as WordPress, Blogger, Joomla, Drupal and Tumblr, take care of security, updates and configuration as part of their service. Installing additional security plugins from the administrative dashboard is relatively simple, and most fully developed cloud services include a long list of such plugins.
Signing up for Google’s Webmaster Tools gives you insight into attempted malicious activity and warns you when an attack has been made on your site. If your site is attacked, you can request a review by Google after fixing the vulnerabilities that led to the attack, getting your site back up as quickly as possible.
Getting blacklisted by search engines can bring an online business to a standstill. Many Web admins don’t even know they’ve been blacklisted until they see their site from a visitor’s perspective in the search results. Taking the necessary steps to make website secure prevents most attacks and makes resolving a security breach much simpler.