This article was originally published exclusively for subscribers to our free weekly newsletter.
Issues surrounding the security of websites are not always well understood by their owners. What is a “secure” site and what are the dangers if yours does not come up to scratch?
Here are the two most important precautions you must take:
- Take regular backups. Whatever bad might happen to your site, whether it’s a server hardware failure, an attack by hackers or a software bug, your chances of a swift recovery will be greatly increased if you take sensible precautions against data loss. That means taking backups. Exactly what needs to be backed up, and how often, will vary depending on the nature of the site but one rule always holds: keep your data safe and separate.One of the things that distinguishes one hosting service from another is the quality of the backup services available. A question you should ask of any hosting provider is whether it is possible to backup your website automatically to a remote location. They may not offer such a service themselves but they should not make it impossible.
- Use strong passwords. Typically there will be a number of passwords associated with your website. You might have one for your hosting account, another for FTP access, a third for administration of your content management system and so on. All these passwords should be strong – meaning they should be hard to guess. Check password strength with this handy online tool from Microsoft.Keep your passwords safe. Don’t write them on post-it notes which you stick to your monitor! Consider using a program like KeePass to manage your passwords more safely.
If your website includes software components such as a blog, guest book, contact form or shopping cart, consider taking professional advice as to the security of your site. Poorly written software may expose your site to attack by hackers. Whether your site is large or small, prominent or obscure, it does not matter: many such attacks are carried out by automatic programs called “bots” which are simply looking for an opportunity to deface web pages or add malicious code to them.
One of the advantages of popular open source programs like Drupal and WordPress is that any weaknesses are generally quickly addressed once found. The downside is that their very popularity makes them a prominent target, which is why the precautions I cover in the following sections are so important.
A default WordPress installation will leave several security holes open. One area of particular concern is that it exposes information about the software you have installed. This being open makes you more vulnerable because many automated attacks work by first probing to see if some particular code is installed and then – if it is – trying an exploit which takes advantage of a known weakness in it.
Here’s some advice about how to strengthen your WordPress site:
- Keep your installation up-to-date. WordPress will tell you when new releases become available for the core software and plugins you have installed. To get new security fixes you should always update WordPress to the latest release, and in order to ensure compatibility you’ll often need to upgrade plugins at the same time. Before making an upgrade take a full backup of all files and the database.The bad news is that sometime a plugin will fail to upgrade successfully, so there’s always the chance you may need to roll back the update by restoring from your backup, before consulting an experienced WordPress technician to find a solution to your upgrade problems.
- Install the WP Security Scan plugin. This excellent plugin will identify where the most prominent holes are in your installation’s security and suggest remedies. To take the appropriate corrective actions may require some technical know-how, but can be carried out very quickly by anyone with the right skills.
- Install the AskApache Password Protect plugin. This plugin provides a number of measures to protect your installation, although it won’t always work fully in every environment so take a backup before trying each of its many options: handle with care.
Drupal security is taken very seriously and there’s a team of people dedicated to its continuous improvement. Here’s my top tips for making sure your Drupal installation stays safe:
- Use the Update Status module. From Drupal 6 onwards this is a core module, but it still needs to be activated. Update Status will tell you when new releases of Drupal and the modules you have installed become available. Since the fixes in new releases may be security-related, this is a very useful tool indeed.
- Subscribe to the Drupal security announcements mailing list. Whenever a new security fix is released for the Drupal core or contributed modules, it is announced here.
- Check user settings. Go to Administer -> User Management -> User Settings and make sure the settings for user self-registration are appropriate for your needs. Also, go to Admin -> User Management -> Roles and check the permissions for each role very carefully, paying particular attention to the anonymous and authenticated users roles.
- Check input settings. Go to Administer -> Site Configuration -> Input Formats and make sure the settings for input filtering are appropriate for your needs. Never allow anyone who is not a trusted administrator to input PHP or Full HTML, and limit the tags that can be entered by users as much as possible.
- Check error reporting. Go to Administer -> Site Configuration -> Error Reporting and ensure that the error reporting setting is “write errors to the log”, NOT “write errors to the log and to the screen”. (The latter setting should only be used during site development).
- Check your logs. Go to Administer -> Logs -> Recent Log Entries every day and look for suspicious entries. Bring any that you find to the attention of your developer or friendly technical expert.