How To Keep Your Website Secure
This is a belated follow on to my last blog post – How To Keep Your Computer Secure
This was supposed to be posted a couple of weeks ago, but it’s the start of lambing time so I’m fairly tied up with that at present, I have however found a spare hour this morning to write this blog post.
As a web host (amongst other things), we deal with hacked accounts on a daily basis, anyone that’s ever fallen victim to this knows how much of a pain it can be to get a website back to normal after it’s been infected. So here are a few steps you can use to help prevent the hackers getting access in the first place!
1. Keep Your Scripts Up To Date
This is the most common way for a hacker to gain access to your account, all it takes is one line of poorly written code and kablamo, the hacker can inject malicious code into your files.
That’s why it’s vital to keep everything up to date, script updates don’t just contain new features, but they also contain important security fixes.
Open source scripts such as Joomla, WordPress and OSCommerce are particularly vulnerable, as the code is, as the name suggests, open source, so the hackers have access to all of the code, making it very easy for them to go through to find anything that’s been badly written. Once a weakness is found, it spreads like wildfire across the message boards and leads to more infected websites.
So please, as soon as you see a new update available for any scripts you are using – download and install them, it’ll save you a lot of problems in the long run.
2. Remove Unused Scripts!
It seems obvious, but I know a lot of you don’t do it. (tut tut)
As I said before, all it takes is one line of badly written code for hackers to gain access to your account, so the more code you have uploaded, the more chance you have of being hacked.
It doesn’t matter if the code is uploaded to some obscure place, or to a site that is no longer online, if the code exists on your site the hackers will find it, so if you have any old scripts on your account that you are no longer using, delete them, leaving them on the account is asking for trouble.
3. Do You Really Need That Plugin?
As well as removing unused scripts, it would be a good idea to go through the scripts that you do use and get rid of anything on there that isn’t a fundamental part of your site.
Take WordPress plugins for example, if you have a WordPress blog, go into the admin area and click on “Plugins”, and I’d like to bet there are a lot of inactive plugins on there, why?
If you aren’t using a plugin, delete it from your webspace, all it’s doing is sitting there waiting for someone to find it so make sure you get rid of any un-used plugins and themes, don’t make it easy for them 🙂
4. Use SFTP
SFTP stands for Secure File Transfer Protocol and works in the same way as standard FTP, but with SFTP all commands and data are encrypted.
Here’s a graphical example of Pete the packet sniffer stealing your FTP password “sexybeast4321”:
As you can see, the password is sent in plan text, meaning Pete now has your password.
Now compare that to if you were using SFTP:
You can see that the password is now encrypted, meaning Pete can’t get access to your details.
So, How Do You Use SFTP?
Most FTP clients now support SFTP, and it’s just a case of selecting SFTP as the protocol instead of standard FTP, here’s what it looks like in CuteFTP Pro:
There are bazillions of FTP clients out there, so it’s impossible for me to show you how to set it up in every one of them, so if you just look in the help files for your FTP client and do a search for “SFTP” you should be able to find what you need, and as always, Google is your friend for things like this.
One final thing you’ll need to know if the SSH/SFTP port of your web server, to find this you can either contact your host, or if you are using a cPanel based account, log into your cPanel, click on “FTP Accounts” > “Configure FTP Client” and you’ll see the port listed on that page.
If you follow those 4 steps you should minimize the risk of your account being hacked, it wont turn your account into Alcatraz, but it will go a long way to securing it. Most of it is down to regular maintenance of your scripts, SFTP helps add an extra level of security but if you have insecure scripts on there, it’ll do no good.
There’s also the obvious things like changing your cPanel/FTP password at regular intervals, but I’m sure you all do that anyway 😉
Even after this, there’s still a chance of getting hacked, so what do you do if you get hacked?
Contact Your Host
It may be possible to restore your account from a backup, so contacting your host right away is a good course of action, if they can restore to a point before the hacking, it gives you time to go in and clean up the old scripts that allowed the hackers to gain access.
If there are no clean backups available, then unfortunately there’s nothing for it but to clean out the infected files manually. If you have a copy of your sites on your computer (which you really should have), you may find it quicker to delete the site on your web space and re-upload from the copy on your computer.
You should also take into account that when hackers do get access to your site, they won’t just infect the website they gained the access to, they’ll infect everything on your account. So even if you have 1 bad WordPress installation and 10 good, the 10 good will be infected as well.
So to minimize this you can get yourself a reseller account and run each domain on it’s own cPanel, meaning if a site does get hacked, you only have 1 site to clean up, not every site you’ll ever run. In general you’ll find reseller accounts are only a few dollars more than what you are currently paying so it’s well worth the upgrade, if only for the piece of mind it’ll bring you.
I think that covers everything, I hope I haven’t scared you too much 🙂
If you have any questions, or any other security measures that you use, please feel free to bombard the comments section.
Regards,
Dan
Receive Free Email Updates When A New Entry Is Posted. Join Them! |
Hi guys,
Dan you have scared me just a little bit. But it’s very important that we try to keep our passwords safe.
Kind regards,
Sam
X
Hi Dan,
Thank you for the post I have been waiting!!! 😛 Only kidding! 😆
So I guess the sheep are going well??
Re the reseller account. I have been thinking about that one for a while and now that you mention the benefits with the security factor I am seriously thinking about it even more.
Do you know if you are able to do a secure transfer with File Zilla?
Hope all is going well.
Cheers
Jacinta 😀
Hi Jacinta,
The latest version of Filezilla does support SFTP, if you go to the site manager, you can select SFTP from the server type drop down.
Hi Dan,
This is excellent information…thank you so much! Like Jacinta, I am considering a reseller account with you guys…now I am really considering it 😉
I will also look into that SFTP with Filezilla.
Thanks for the heads up Dan…
Kathy
Hi Kathy,
Just give us a shout if you need more info on a reseller acct.
/waves back
Hey Dan
I would like to thank you for this post, but I can’t!
That image of packet sniffer Pete really gave me the creeps lol.
Great post, you really are an expert with all things hosting related.
Hope you have lots of little healthy lambs bouncing about the fields.
Sally 🙂
Hi Sally,
I actually know a few people that look like Packet Sniffer Pete, they give me the creeps as well, lol.
I’ll have to go all girly and take some lamb pictures for the next blog post!
Thanks for the eye-opener Dan on what we should be doing to keep our websites safe.
I always new you had to make sure your WordPress blog was the latest release but never even thought of plug-ins that are not in use.
Also it’s probably best not to leave any old wordpress themes on your blog that are not in use either and always make sure they’re from a reputable source.
Thanks Dan
Dawn Kay
Hi Dawn,
Plug-in’s can actually be a lot worse than the core WordPress code, you can be fairly sure that most of the core WP code has been written to a high standard, but with the plug-in’s you have no real knowledge of where they came from or who wrote them, so it’s always a risk, especially if you are using an obscure, untested plug-in.
Dan
Does direct uploading within cPanel use SFTP?
Zoe
Hi Zoe,
That’s a very good question, it wont use the SFTP protocol but I’d imagine if your hosting provider is using a secured (via SSL) version of the cPanel then you’ll be encrypted.
You’ll be able to see if your on an insecure, or secure version of the cPanel by looking for the padlock icon in your browser.
But that’s just educated guess work, I can honestly say I’ve never given it any thought, nor done any research into it.
Thanks Dan
Thanks for your quick reply
Will check for that scroll lock
Zoe
Ooops
Just now seen my typo
You and your readers know I meant to say padlock icon!! 😉
Sorreee
Zoe
Hi Dan,
Good post although on my Filezilla I had no public_html or www. folder which caused a problem I had with uploading.You know me, still a learner. I deleted it but going to re install.
I will look into the reseller account.
Make sure you look after these sheep and good luck with the lambing.
Donald
Hi Donald,
If you’ve deleted your public_html and www directory then your site won’t load, so if you contact your host (us) you’ll need to see if we have a backup available that we can restore for you.
Donald
Hey, you’re not alone!
I too deleted my public_html AND www and got it restored just as Dan advises
Well you got to start somewhere eh?
Zoe
Hi Dan,
Thanks for sharing this. While we’re busy making money online, we sometime forget the most important portion of our internet business – security!
Thanks for reminding us. 🙂
Hi Dan.
Some very useful information. Thanks for this post.
Hi Dan,
How did you get that pid of me before the weight and hairn fell off,lol?
Seriously, I didn`t fully understand the issue in a tech sense but its something i need to look into, first off i`ll update my filezilla edition, any way cheers for that….Ed.
Do you always work out as a teacher?
It’s quite common, I’m either wearing no top and the fancy cap, or my YMCA builders outfit.
Hi Dan
I love reading blogs and comments and about moi. You have certainly come a long way. You have some very good information here. Well done!
As you can see my name is Sue McDonald and I live in Australia.I started in IM only last August and hence I am trying to learn as much as I can because I want to succeed
I have signed up with a new coach/mentor in Internet Marketing and I would like you to follow me on my journey. Just go to http://sue-mcdonald.com and read some of my
blogs. Feel free to leave a comment if you like.
I had to do the newbies course before I can do the advanced but I have signed up for both. I have so much knowledge all ready and didn’t want to waste what I had learnt.
Thanks in advance
Sue
Hello Dan,
I didn’t know elpasso was you!! I have seen your name (elpasso) on a few super affiliates emails and sure didn’t realize you were Dan from JT Masterclass Support!! =)
Now I do!
I just wanted to say you have an awesome blog here. I have been surfing around in it for about an hour now! Getting lost in all the info! Your information on this blog is amazing!
Thank you and I am seriously thinking about D9 hosting because of you and Paula!
Y’all ROCK!
Lisa~
Hi Lisa,
Welcome to the blog, it’s a small world 😉
Lisa,
Trust me I have been online for nearly 3 years and I have used D9 Hosting from the start and due to the number of sites I have and the fact that I need to protect my eBay Affiliate account I also have 3 other hosting accounts and not one of those even come close to the quality service I receive from D9.
Dan and Paula are TERRIFIC and I should know as I have my share of support tickets, but never once have they made me feel as though I was being a pain in the neck with my myriad of problems.
I just want to take this opportunity to give a big SHOUT OUT for D9 Hosting and Dan and Paula. They are terrific people and I would never give up my D9 Account.
Thanks Dan and as a retired professional boxer turned personal trainer, as we always say in my gym “Keep Lifting.”
Sincerely,
Howard
PS. Everyone of my sites are now upgraded completely and I feel so much better.
Hi Howard,
Thanks for the kind words, I’ll send you the £20 😉
Just kidding, the above wasn’t solicited in any way but it’s certainly appreciated.
@Lisa – Just re-read your original post and I’m not actually Dan from the Masterclass helpdesk, that’s Dan Sumner…..too many Dan’s!
I’m having to kind of agree about the description and keywords having little if any weight. I have two sports related “fishing” They are identical almost, products are diff, both geo specific targeted. One has Keywords and description the other no. Both fluctuate between 1 and 7 in position on pg 1 of google. I think I’m going to switch the sites, as far as listing kw and descriptions. just reverse them and track the changes if any.