Upload
aleksander-kuczek
View
144
Download
0
Embed Size (px)
Citation preview
5 things you can do in less than 30 minutes to increase website security
30,000websites are hacked every day
80%websites are susceptible to hacking because
they run outdated version of WordPress or Joomla
1.Change Password & Improve Authentication
List of the most popular passwords in the Internet according to splashdata.com
Secure Password
Example password Easy to remember? Hard to guess?
123456 YES NO
VVW^kv7xEUk5fd&GV1uA#R NO YES
Better to be safe than sorry!!! YES YES
Two Factor Authentication
Two Factor Authentication is an extra layer of security that requires not only a password and username but also something that only user has on them - such as a physical token.
WordPress: plugins available such as Rublon or Two-Factor Authentication Plugin
Joomla: build-in support for Google Authenticator and YubiKey
Other precautions
Introduce basic authentication on HTTP
Limit backend access to certain IP
Require HTTPS/HSTS connection
Manage multiple passwords using a password manager (LastPass, OnePassword)
2.Install Firewall & Malware Scanner
Web Application Firewall
Web Application Firewall protects website against the vast majority of common attacks.
WordPress: Sucuri, CloudFlare
Joomla: Admin Tools, Sucuri, RS Firewall
Malware Scanner
Malware scanner is a tool that check website files against a known list of malwares and alerts you on any modifications.
WordPress: Sucuri, iThemes Security
Joomla: Admin Tools, Sucuri
Once website security is compromised every installed security software can be compromised as well.
3.Schedule Backups
Backup frequency
Backup is a complete copy of a website including code, images (and other media files) and database that can be used for restoration at any time.
Every website should be backed up regularly. Recommended backup frequency depends on frequency of changes on a website. In most cases it’s something between 1 and 30 days.
Backup storage
Backup stored on the same server is not a backup.
If a website is hacked, backups can be hacked/deleted/encrypted as well.
If a website is lost due to server malfunction, backups are lost as well.
In Perfect Dashboard we recommend to store backups either in our cloud, on AWS or on any other external disk space.
Backup integrity
You don’t have a backup unless it can be used for restoration.
According to Perfect Dashboard statistics 1 out of 10 backups fails integrity testing. The most popular reasons are:
error while creating backup archives
error while copying backup archives over the Internet
Here’s how we do integrity testing in Perfect Dashboard.
4.Get Rid Of Dangerous Extensions & Themes
Every extension or theme is a potential backdoor
Thousands of security bugs are discovered in extensions & themes every year. This covers both free & commercial versions (sometimes very popular ones). That’s why you need to be always ready for updates.
Check if developer use default updater to inform about security releases.
Check if developer require additional payment for accessing updates.
Source matters
Even a trusted extension from untrusted source is a potential security threat.
4 years ago we have discovered that our Perfect Contact Form distributed on torrents had a malware injected into the code. So even the extension itself never had any security issues, those users got hacked. Full story: https://www.perfect-web.co/blog/67-perfect-ajax-popup-contact-form-free-download-torrent-virus
Replace extensions / themes from untrusted source with secure ones.
Get rid of unused extensions & themes
No matter you use them or not they are still a potential security threat.
That’s why removing such extensions & themes is beneficial. Not to mention it also may increase performance of a website and decrease a backup size.
WordPress: Remove all unused Themes, Plugins & Widgets
Joomla: Remove all unused Components, Modules (not the instances), Plugins & Templates
5.Keep software up-to-date
What needs to be updated
Server software (often even on shared hosting)Apache / NGINX
PHP (5.5 or higher)
MySQL (5.5 or higher)
CMS
Extensions / Themes
Course of conduct
1. Find out that there is an update required
2. Back up
3. Verify backup integrity
4. Download update files (optionally)
5. Update
6. Test website after the update
7. Fix errors after the update (optionally)
1. Use Perfect Dashboard
2. Fix errors after the update (optionally)
Q&A