5 things you can do in less than 30 minutes to increase website security

30,000websites are hacked every day

80%websites are susceptible to hacking because

they run outdated version of WordPress or Joomla

1.Change Password & Improve Authentication

List of the most popular passwords in the Internet according to splashdata.com

Secure Password

Example password Easy to remember? Hard to guess?

123456 YES NO

VVW^kv7xEUk5fd&GV1uA#R NO YES

Better to be safe than sorry!!! YES YES

Two Factor Authentication

Two Factor Authentication is an extra layer of security that requires not only a password and username but also something that only user has on them - such as a physical token.

WordPress: plugins available such as Rublon or Two-Factor Authentication Plugin

Joomla: build-in support for Google Authenticator and YubiKey

Other precautions

Introduce basic authentication on HTTP

Limit backend access to certain IP

Require HTTPS/HSTS connection

Manage multiple passwords using a password manager (LastPass, OnePassword)

2.Install Firewall & Malware Scanner

Web Application Firewall

Web Application Firewall protects website against the vast majority of common attacks.

WordPress: Sucuri, CloudFlare

Joomla: Admin Tools, Sucuri, RS Firewall

Malware Scanner

Malware scanner is a tool that check website files against a known list of malwares and alerts you on any modifications.

WordPress: Sucuri, iThemes Security

Joomla: Admin Tools, Sucuri

Once website security is compromised every installed security software can be compromised as well.

3.Schedule Backups

Backup frequency

Backup is a complete copy of a website including code, images (and other media files) and database that can be used for restoration at any time.

Every website should be backed up regularly. Recommended backup frequency depends on frequency of changes on a website. In most cases it’s something between 1 and 30 days.

Backup storage

Backup stored on the same server is not a backup.

If a website is hacked, backups can be hacked/deleted/encrypted as well.

If a website is lost due to server malfunction, backups are lost as well.

In Perfect Dashboard we recommend to store backups either in our cloud, on AWS or on any other external disk space.

Backup integrity

You don’t have a backup unless it can be used for restoration.

According to Perfect Dashboard statistics 1 out of 10 backups fails integrity testing. The most popular reasons are:

error while creating backup archives

error while copying backup archives over the Internet

Here’s how we do integrity testing in Perfect Dashboard.

4.Get Rid Of Dangerous Extensions & Themes

Every extension or theme is a potential backdoor

Thousands of security bugs are discovered in extensions & themes every year. This covers both free & commercial versions (sometimes very popular ones). That’s why you need to be always ready for updates.

Check if developer use default updater to inform about security releases.

Check if developer require additional payment for accessing updates.

Source matters

Even a trusted extension from untrusted source is a potential security threat.

4 years ago we have discovered that our Perfect Contact Form distributed on torrents had a malware injected into the code. So even the extension itself never had any security issues, those users got hacked. Full story: https://www.perfect-web.co/blog/67-perfect-ajax-popup-contact-form-free-download-torrent-virus

Replace extensions / themes from untrusted source with secure ones.

Get rid of unused extensions & themes

No matter you use them or not they are still a potential security threat.

That’s why removing such extensions & themes is beneficial. Not to mention it also may increase performance of a website and decrease a backup size.

WordPress: Remove all unused Themes, Plugins & Widgets

Joomla: Remove all unused Components, Modules (not the instances), Plugins & Templates

5.Keep software up-to-date

What needs to be updated

Server software (often even on shared hosting)Apache / NGINX

PHP (5.5 or higher)

MySQL (5.5 or higher)

CMS

Extensions / Themes

Course of conduct

1. Find out that there is an update required

2. Back up

3. Verify backup integrity

4. Download update files (optionally)

5. Update

6. Test website after the update

7. Fix errors after the update (optionally)

1. Use Perfect Dashboard

2. Fix errors after the update (optionally)

Q&A