Keeping a website secure can be difficult. There are many factors that can lead to a website compromise, not all of which are related to the server itself or the hosting company the website is with. Here we will cover some of the things that you can do to mitigate the risk as much as possible.
Use secure passwords
There are a few basic guidelines on how to make a secure password, such as having a minimum length of 15 characters, using a mix of characters and using random characters. We recommend using a generator such as strongpasswordgenerator.com to ensure your password is meeting the minimum best practise.
Use unique passwords
Once you have a secure password you should never reuse it for another account, this will protect you if the password itself is compromised either through the contents of a database becoming public knowledge or through guessing of the password itself.
If you even suspect that your password/s have become compromised then it is highly recommended to change them. This goes hand in hand with not reusing your password as you will only need to change it in one location.
Use SSL for pages accessed by password
If you are not using SSL on pages that will contain sensitive data, or be accessed using a password then this data is at risk of becoming compromised, SSL ensures that the data is transmitted from the client computer to the server using encryption. This prevents anyone from being able to see the data in clear text before it arrives at the server.
Keep software up to date
It is a fact that new security issues with software are discovered on a daily basis, the software your website is using is no exception. If you are using any form of website software that required you to install or configure it, then you will need to keep it updated, this also applies to any plugins or themes your website is using. Refer to the documentation for the software being used on how to update it.
Using outdated, vulnerable versions of website software is the single biggest reason for a website becoming compromised.
In addition to keeping software updated, it is also important to try to avoid software that has gained a reputation for security issues.
Use well reviewed security plugins
One thing you can do if you are using website software that can be extended with plugins, is to install a security plugin. Recommend ones might be referenced in official documentation and include the following.
Make use of official security guides
The software your website is using might contain a security guide or checklist (also known as a hardening guide). If it does you should follow this as it contains best practises on how to secure that particular application. Here are links to some of the guides for a handful of popular software.
You can generally find the official security documentation by searching the internet for the name of the application with 'security' after it.
If you have a VPS then the security of the server is reliant on you. We are able to perform basic security optimisations on request as part of Server management. Although this may not be enough to prevent a persistent attacker from compromising the server (depending on what is installed and running on the server).
If you are on website or reseller hosting then the security of the server is managed by Crucial. We take steps to ensure that the server is as secure as possible. We keep the server software up to date, use CloudLinux to completely separate customers websites and each server has a firewall that will actively block brute force attacks. We also make it easy to setup the website with CloudFlare which can assist with mitigating some attack vectors.