Best practices for securing a Content Management System
Making your website secure and keeping it that way is highly important, this can help to avoid your website being hacked and your data leaked. Most users will make use of common content management systems such as Joomla and WordPress which are susceptible to attacks. Here are some tips in keeping things secure.
This is a basic rundown of what you can do to keep yourself secure. It’s not foolproof, but it goes a long way to help.
It’s essential that you update, update and update!
Keep on top of your updates! This is the most important part of remaining secure. Teams such as WordPress and Joomla are constantly patching security flaws in their scripts, so it’s important you update them immediately upon patch releases.
Plugins and Themes
So frequently is the cause of a website hack the result of a plugin or theme, that it is essential you use them diligently:
- Carefully choose the plugins and themes you use – Google them before you install them to a) ensure they are still being updated and b) that there are no known vulnerabilities.
- Only have plugins and themes which you use installed. If you have any unused plugins or themes laying around, remove them.
- Keep anything installed up to date, always.
Carefully choose the passwords you use; this means using combinations of upper and lowercase characters, numbers and if possible, symbols. Always use passwords longer than 8 characters and if possible, change them every few months. Never store your passwords in plain text anywhere and never share them with untrusted people, particularly via email or IM.
Run a virus/malware scanner on your computer. There’s no use having a secure password if you have a nasty on your computer and your keystrokes end up being logged, this would allow your secure password to be retrieved. Scan your computer frequently for nasties.
On your WordPress, Joomla, Drupal, etc script there is an admin account; we’d recommend changing the username of it if possible. Try not to use admin or administrator, instead change the admin username to something less obvious to avoid brute force login attempts.
If it’s possible, perhaps consider using a .htaccess deny all to block access to admin areas of your website – only allowing in your IP. This may not be feasible for all, but it’s a good option if it’s available to you.
Don’t have any 777 permission sets chmodded on your files if you’re unsure what this means you can simply run the Permissions Fixer within your VIPControl. Furthermore, ensure you set your WordPress config file (wp-config.php) or your Joomla config file (configuration.php) to a chmod of 600 to avoid it being read – apply this same rule to other CMSs as well.
Taking backups doesn’t stop you being hacked, but it provides you a fall back if you do. If you are hacked, for whatever reason, a backup allows you to restore your website to a functional state before the hack – it is then absolutely critical that you then identify how you were hacked in the first place and then patch it, to avoid a repeat.