Have you just created a website very recently? Have you been the victim of an attack recently? Or do you simply prefer to anticipate such an event? Whatever the reason that brought you to this article, know that we will help you. Following this, we offer you a complete guide which will allow you to better understand how to secure and protect your website and, above all, what threats it is subject to.
You will see that there are many things to do. No need to do everything at once (even if it would clearly be better). If you have very little time, try to do a little every day, or every week. After all, securing your website is a long-term job. It's almost a weekly task.
How can a website be attacked/hacked?
To begin this guide explaining how to secure and protect your website (whether you are on WordPress, Joomla, Drupal, or another CMS), we will highlight the many threats that you will potentially have to face.
- Denial of service (DoS) attack:a denial of service attack is carried out by hackers in order to “drown” your site with requests from robots/ghost servers. By sending a significant number of requests to your site, they will be able to slow it down, or even crash your web hosting. This will result in your website going offline.
- Phishing :Phishing (French term) consists of sending a fraudulent email to a person in an attempt to extract information or personal information from them. Very often, hackers will pretend to be a reputable company, or even your web host.
- Ransomware :it is a practice which consists of taking your data or access to your site “hostage” in exchange for a consideration (generally large sums of money).
- Malicious code:Thanks to various methods, it is possible that hackers can inject malicious code onto your website. This can prevent you from accessing it, or even completely deactivate it.
These are just some of the main types of attacks you can experience. There are many others. If you have never thought about securing your website until now, you now know why you will have to do it.
Install an SSL certificate to use the HTTPS protocol
The easiest thing to do to secure your site and protect your visitors is toinstall an SSL certificate.
As soon as you have installed an SSL certificate on your website, visitors to it will no longer use the unsecured HTTP protocol, but the HTTPS protocol.
Thanks to the latter, all exchanges between visitors and your site will be encrypted and therefore secure.
Beyond the security of your website, you have every interest in putting such a thing in place since search engines also take this aspect into account in order to establish their natural referencing.
Without an SSL certificate and therefore without an HTTPS protocol, your site will be considered dangerous and an error message will be transmitted to your visitors.
Please note that you do not necessarily need to purchase an SSL certificate. In fact, more and more hosts are offering this service for free. This is for example the case of the two excellent hosts that areHostingeretPlanetHoster.
Use a secure web host
This brings us to the topic of web hosting.
Unsurprisingly, the web hosting on which you will host your site will play a crucial role in securing it.
Make sure that a certain number of things are put in place: firewall with strict rules, anti-DDoS protection, anti-malware protection, provision of a backup solution, etc.
If not, simply run away!
You can also opt for managed web hosting. Thus, all these aspects will be covered by the technical teams of your web host.
If you don't know which secure web host to turn to, we can once again advise you to look at Hostinger.
Absolutely all the points that we have mentioned previously are taken into consideration by the host, which will guarantee you maximum protection.
Use security (and anti-malware) software
As we were able to point out just above, some hosts will provide you with anti-DDoS but also anti-malware protections.
However, we advise you to install an extension which will allow you to further improve the security of your website.
If you are on WordPress, we can recommend the plugin called “Wordfence”:
© Wordfence
The latter will give you access to a number of tools to protect your site. This includes a firewall, a malware scanner, but also blocking possible malicious requests (bruteforce attacks, etc.).
The big advantage of this solution is that it will cost you nothing and will be functional without much configuration on your part. In addition, you will have access to a central panel which will inform you about recently blocked attacks, and the overall security of your WordPress site:
© Wordfence
If you want to benefit from even more features, know that Wordfence also exists in a paid version. To give you an idea, a license will cost you $99. Do not hesitate to consult the official Wordfence website for more information on the provision of its paid solution.
Keep your website and its plugins up to date
It's a simple thing but one that many tend to forget: update your site regularly. This applies both to the CMS you use and to the plugins and themes.
For what ? Well quite simply because you are not safe from one of these elements exposing you to a security vulnerability which could be exploited by malicious hackers.
To avoid this, you must therefore ensure that all elements of your website are regularly updated.
Don't be too quick though. Indeed, it is better to wait a few days after the release of a new version of plugin or CMS in order to have a little more perspective. Sometimes, following the release of a new version, problems may arise.
So when should you update all the elements of your site?Every 2 to 3 weeks, leaving a margin of several days after the release of a new update.
Improve the complexity of your passwords
Each person who connects to your website's administration panel surely has an account... and therefore an associated password.
This may seem trivial, but try to reinforce the complexity of the passwords used by your teams. Add special characters, capital letters, numbers…
What will the benefits be? It will be much harder for hackers to succeed in finding your password, and therefore taking control of your website.
If possible, also try to implement a strategy for regularly changing passwords. No need to change them every month, try for example starting with a change every 6 months.
If you have trouble imagining what an extremely secure password might look like, know that websites allow you to generate one randomly and based on certain criteria.
Many password managers offer this (Dashlane, LastPass), or even a site like motdepasse.xyz:
© motdepasse.xyz
As you can see in the screenshot above, you can choose whether or not to add numbers, lowercase letters, uppercase letters, or even special characters. You will also have control over the number of characters that must be contained in your password.
Make regular backups
Backups are definitely the most effective way to ensure the security and above all the integrity of your website. Whether you are the victim of an attack, or you simply made a mistake following a modification, having a backup will save you.
It is therefore important to put the right things in place.
To do this, you will have two options: use the backup tool made available by your host (HostingeretPlanetHosteroffer such a thing), or you can rely on a backup plugin.
Which option to favor? In our opinion, we should not choose and rely on both options. This way, you will be sure to be able to rely on a healthy backup of your system and hosting.
It’s better to do a little too much than not enough in this specific case.
If you are unsure which plugin to use and you are on WordPress, we can recommend UpdraftPlus. Thisfree pluginwill allow you to set up a backup cycle in an extremely simple way. In addition, you will have the choice of where to store them. This could be local, or in an online storage space. It's up to you to see what suits you best.
© UpdraftPlus
Restoration can also be done regularly.
On this note, once your backups are configured, remember to take a look at them from time to time to ensure that they run smoothly each time. This will save you from unpleasant surprises if one day you need to use them urgently.
Be careful when opening your emails
As we suggested in the first part of our guide explaining how to protect and secure a website, you, as an owner, risk being subject to “phishing” attacks.
Be careful when you receive emails. Avoid clicking without thinking on possible links or files that may be attached. First make sure the recipient is an organization or someone you trust.
Phishing emails are indeed becoming more and more sophisticated. You must therefore constantly be on your guard.
Secure your folder permissions
The last piece of advice that we can give you in order to best secure your website is to change the permissions on its folders and files.
You may not know it, but behind every website there are files and folders that contain a lot of information vital to its proper functioning.
They are all available on your web hosting. If you don't pay attention to the permissions given for these files and folders, a hacker could access them and harm you.
To thwart all of this, you need to go to your file manager (via FTP or from your cPanel interface, for example).
Once in your site tree, set the permissions as follows:
- 644: for individual files
- 755: for files and folders
Wondering what these numbers mean? Here's a quick explanation:
- 4 = read right
- 2 = write permission
- 1 = execution right
- 0 = no permissions
A permission which is equal to 6 will therefore mean that the person has read and write rights (4+2).
Now you must be wondering why there are three numbers in a row? The first number concerns the rights of the file owner, the second concerns people linked to the group that owns the file, and the third concerns everyone else.
Conclusion on securing a website
We hope that through this guide, you now know what dangers your site faces and, above all, how to deal with them.
As you can see, there are a lot of things to take into account and put in place. It is tedious work but worth doing in order to fully secure your website.
Here is a quick summary of all the steps that you will need to consider (if you have not yet had the opportunity to do so) in order to best protect your website:
- Installing an SSL Certificate
- Using secure web hosting –we recommend Hostinger hosting
- Implementation of security software/plugin
- Regular updating of your site and its plugins/addons
- Improving the complexity of your passwords
- Carrying out regular backups (hosts likeHostingerorPlanetHostermake a tool available free of charge)
- Maximum vigilance against possible phishing emails
- Securing your site folder permissions
Haven't been able to create your website yet? In this case, focus first on choosing the best solution to get there. You can passa web hostthen install a CMS, or opt for onewebsite creation software.
That being said, please note that if you still have questions about the procedure to follow in order to secure and protect your website from possible attacks, you can let us know by leaving us a comment.
