Contact

[email protected]
1 855 796 6269

Support

If you are an existing customer and in need of support, please reach us through our Ticket System available from your Client Area.

Our Blogs.
Wasim Ahmed

Wasim Ahmed

If your career has included developing or maintaining websites, you have most likely fallen victim to a security hack at least once. Like all network-connected devices, a website is equally prone to become a victim of malicious intentions. There are a lot of websites maintained by people who know very little about the inner workings of the site. They may possibly be bloggers or have simply created the site to share family photos. These ordinary sites are hacked on a regular basis. 

There isn't a single way to protect a site from all harm. This is a multi-step process using various tools and a strong knowledge of web security. Large companies with a big web presence have the budget to maintain their site 24/7 in order to protect the website. Most companies have not budgeted the time or money required to keep up with all possible intrusion attempts. This article is for the small company or day to day people who maintains their own site, specifically those sites based on Joomla and Wordpress. If you are reading this article, there is a good bet you are familiar with these two platforms. Both offer an excellent blogging platform and are capable of extending features using extensions and plug-ins. 

In this 'Part 1' article, we will delve into securing a site built in Wordpress and in the next article, 'Part 2', we will look at how to protect Joomla. Hopefully, through the steps, you will be able to better protect your site and maintain peace!

  1. Wordpress Security
  2. Choosing secure Web Hosting 
  3. Users and Passwords
  4. Login Security Questions
  5. Wordpress Updates
  6. Login Limitation
  7. Plugin for Security
  8. Configuring PHP
  9. Configuring Wordpress XML-RPC 
  10. Configuring Auto Logout

1. Wordpress Security

Wordpress has come a long way with regards to security in last few years. Over 60% of blogging sites globally are built on the Wordpress platform due to it's user friendliness and usability. As a result, it gets extra attention by hackers. Due to it's open source nature, there are hundreds of developers around the world scrutinizing Wordpress code to ensure it is secure. Extra plugins added to the site must really be watched. Most are made by 3rd party providers whose code may be closed source and may contain unsecured code. We will look at the best procedures you can employ to best protect your sites. As a general rule of thumb, try to use plugins from reputable providers.

2. Choosing Right Web Hosting

It is important to choose the right home for your website. A good web hosting provider will not only go out of their way to protect your site, but will share 'best security' practices so you can proactively take action. Don't just go with the cheapest web hosting platform you can find. Shop around and perform due-diligence. Ask them question about their service before you become their customer. Keep notes of their response level. If a hosting provider is not protecting their platform, your site in turn can be easily hacked by a neighboring site hosted on the same platform.

3. Users and Passwords

Follow strong user and password security procedures on your site. Add complexity restrictions for passwords on the site. Monitor the number of people with administrative privileges and maintain complexity rules for their passwords. Weak passwords are one of the most common reasons for site hacks. Add password expiry policies to the site as well. Changing passwords every 6 months is a good policy. Add extra layers of protection by having multiple passwords for multiple areas of the site. For example, Wordpress Admin Area, FTP, Hosting cPanel, Email accounts, Guest authors etc. Fine tune permission roles and assign only what is needed. Remember it is easier to grant rights than to take them away!

4. Login Security Questions

Security Questions are an additional layer of protection for logins. The user is required to know a unique answer to a question to pass the security layer. The answer should be something they alone will know. So if their password is compromised, no one will be able to login into Wordpress without answering the question correctly. 

5. Wordpress Updates

Wordpress is continuously patching security vulnerabilities. Through the release of updates those security holes are fixed. It is important to keep your Wordpress software up to date. One way to ensure this, is to add yourself in the Wordpress email notification lists. That way, when a new update is released you will be notified and you can schedule an update.

6. Login Limitation

By default, the settings on a new Wordpress site do not limit the number of times a user can attempt to login using a wrong password. A potential harmful user can try numerous passwords without interruption, attempting to guess the correct one. By enabling the limit we can reduce and restrict a hacker from continually trying to gain access, hopefully discouraging them continuing. 

7. Plugin For Security

If you are not very tech savvy, the simplest way to protect your site is to install security plugins. There are a  number of plugins available which will perform the security hardening work for you with just few clicks. One of the best recommended plugin to use is Sucuri

8. Configuring PHP

PHP file execution is a feature that is enabled by default and not needed by some Wordpress directories. By disabling this feature we can harden the Wordpress security. Simply copy/paste the following code into the .htaccess file and upload it to /wp-content/uploads folder.

<Files *.php>
deny from all
</Files>

9. Configuring Wordpress XML-RPC

XML-RPC enables your Wordpress site to connect with web and/or mobile apps. It is enabled by default after WordPress 3.5. XML-RPC can actually amplify the brute-force attacks. For example, by using XML-RPC, a hacker can use the system.multicall function to try many hundreds of password with a mere 15 or 30 requests. If this service is not needed for your site, it is wise to disable it completely.

10. Configuring Auto Logout

This is also known as idle time log out. When configured, Wordpress will automatically log out the user after the set time. This is very useful when the user must frequently leave their desk or they forget to sign out in a multi-user environment. 

In this article, Part 2 on website security, we are going to see how to protect a Joomla based site. Joomla shares a lot of common security practices with Wordpress, with few exceptions. Again, nothing will give you a 100% guarantee that your site will not get hacked, but these security practices should offer a good level of protection, making an intruder's attempts more difficult.

1. Masked Admin username

By default Joomla creates a username for administration purpose called "admin". Always change it to a "hard to guess" username. If the administrator name is not standard, it is much harder for an intruder as they must guess both the username and password, therefore dramatically reducing or preventing login attempts.

2. Use of Secret Key to Login

This concept allows administrator login through a very specific URL instead of the default. In this way, the login is protected from intruders. An extension program, like KSecure, adds a secret key which the administrator will have to enter after the regular URL in order to log in. The following is an example:

https://domain.com/administrator?ThisIsSecretKey

3. Joomla Backup

There is no substitute for making a regular backup when it comes to protecting digital data. If you have an up to date backup, you can always wipe and restore your hacked site. Use a reputable hosting provider who backs up your site regularly, such as Symmcom. Remember, your restored backup still contains the security vulnerabilities.

4. Update Joomla Regularly

Security vulnerabilities are continually being discovered in code and Joomla is no exception. However, they are extremely proactive to any security holes that could ruin your day, and do publish new releases on a regular basis. It is very important to be alerted when new releases are coming and actively update your Joomla site. Some hosting providers do offer free auto update as soon as new releases comes out. 

5. Use Search Engine Friendly (SEF)

Besides making your site more Search Engine Friendly, SEF also offers a level of protection. SEF masks some information which would have given an intruder clues about different components or extensions used in your site. You can enable SEF using the following steps:

  • Login into Joomla Control Panel.
  • Goto Site > Global Configuration.
  • Under tab Site, click Yes for SEF URLs.

6. Use Security Extensions / Firewall

Like Wordpress, there are many 3rd party extensions for security of Firewall options available for Joomla. This breed of firewall is also known as Web Application Firewall (WAF). The WAFs provides multi layer protection with just a few clicks of your mouse. The following are few protections these WAFs offers out of the box:

  • Protection against  SQL Injection
  • Login Protection
  • Joomla Specific Vulnerabilities
  • Backdoor Protection
  • Bot Protection

7. File / Folder Permissions

Always check files and folders to ensure they do not have incorrect permissions that would allow a hacker to upload malicious code files. All folders within your site must have proper CHMOD configured properly. Here are some good rule of thumb settings for checking permissions:

  • Configuration files = 644
  • PHP files = 644
  • All other folders = 755

8. Use Reputable Joomla Extensions

Always pay extra attention which extensions you are using in your site. Guard against always going for the free ones. Although some free Joomla extensions are really good, most are not coded properly and contain a lot of security vulnerabilities. You may have protected your Joomla core quite well, but one insecure extension can ruin it all and cause havoc. If your site is mission critical, try to find extensions from well known developers that have support available.  

Following these practices, your Joomla site will be better protected and you will be able to sleep well.