1. Keep your CMS and plug-ins Updated.
Whether your website was built from scratch by your development team or you chose to create a personal site on a third-party turnkey platform, as a site owner it’s your job to ensure that every piece of software you run is up to date.
CMS providers like WordPress, Joomla trying to plug any holes in their systems and release regular patches and updates that make their software less vulnerable to attacks. Ensure that you run these updates and have the latest version supporting your site at any given point in time.
If your site uses third-party plugins, keep track of their updates and ensure that these are updated on time as well. Often, many sites include plugins that fall into disuse over time. Clean out your website of any unused, old and non-updated plugins — they are sitting ducks for hackers to be used as a gateway to enter your site and wreak havoc on it.
2. Use Strong Passwords, Change Regularly.
Make sure your password is a combination of alphanumeric characters, symbols, upper and lower-case characters and is at least 12 characters long to prevent brute force attacks.
Do not use the same password for all your different website logins. Change your passwords regularly to keep them doubly secure. Store users’ passwords in encrypted form. This ensures that even if there is a security breach, attackers do not get their hands on actual user passwords.
And make sure everyone who has access to your website has similarly secure passwords. Institute requirements concerning length and the type of characters that people are required to use, so they have to get more creative than going with the standard, easy passwords they turn to for less secure accounts.
One weak password within your team can make your whole website more vulnerable, so set expectations for everyone who has access and hold yourself to the same high standard.
3. Make Admin Directories Tough to Spot.
An ingenious way a hacker can gain access to your site’s data is by going straight to the source and hacking into your admin directories.
Hackers can use scripts that scan all the directories on your web server for giveaway names like ‘admin’ or ‘login’ etc. and focus their energies on entering these folders to compromise your website’s security. Most popular CMS’s allow you to rename your admin folders to any name of your choice. Pick innocuous sounding names for your admin folders that are known only to your webmasters to reduce the possibility of a potential breach.
4. Build Layers of Security Around Your Site.
A Web Application Firewall is your first line of defence. These solutions are designed to inspect incoming traffic, provide and weed out malicious requests, offering protection from SPAM, brute force attacks, SQL Injections, Cross Site Scripting and other threats.
5. Switch to HTTPS.
HTTPS (Hyper Text Transfer Protocol Secure) is a secure communications protocol that is used to transfer sensitive information between a website and a web server. Moving your website to the HTTPS protocol essentially means adding an encryption layer of TLS (Transport Layer Security) or SSL (Secure Sockets Layer) to your HTTP making your users’ and your data extra secure from hacking attempts.
6. Error messages.
Be careful with how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don’t leak secrets present on your server (e.g. API keys or database passwords). Don’t provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs and show users only the information they need.
7. Change your database table prefix.
If your website uses a blog or forum script, you can change the default database table prefix. For example, a WordPress blog carries the table prefix “wp.” If you change your table prefix, hackers will have a harder time getting data from your website.