What would you do if your site just disappeared tomorrow? You go to log into your wordpress installation or shared hosting instance and find it’s all gone. Could you recover? Could you have stopped it happening in the first place? Is it going to ruin your life?
Running an affiliate website means putting your livelihood into the public domain where anyone can find it and attack it. It also means you need to know how to protect it from both malicious attacks and your own errors.
Here are five website security tips to help you prevent this scenario and to recover from your site being hacked or lost.
1: Version Control – Get a Safety Net in Place
Are you still using FTP to transfer files to your server? If so, you’re just at risk of causing damage to you yourself as you are to someone else doing it. What if you upload a new file and don’t discover for weeks that it’s broken some key functionality elsewhere? What if you’ve now built lots of functionality that interacts with the buggy file? What you have now is a mess and a choice between continuing, knowing the system is fundamentally broken (don’t do this) and losing a lot of time by backtracking on yourself and trying to fix the issue.
Using Git is an extremely effective way of managing this problem. Git allows you to have different versions of your site, identified as branches. As a very basic explanation, this allows you to essentially roll your site back to a previous version if things go wrong. Releases can be handled as tags and reverting (checking out) the previous tag is as simple as running one command.
If command line isn’t your thing (or you’re on Windows, in which case I’d go with this option personally), they offer a point and click application too. That can be found here.
Github.com offers a fantastic service and is widely used in the development industry. You can get free public facing repositories for your site, but these are visible to everyone, so grab yourself a private package for a couple of dollars a month.
A fantastic tutorial for using Git can be found here.
2: Using WordPress? Keep Those Plugins up to Date!
Seriously – I know this is mundane but given it takes a couple of clicks, it’s well worth the effort.
So many sites are hacked now via outdated plugins that it’s not even funny. Cast your mind back just a few months to the Panama Paper scandal. More information on the scandal is available via the link, I’m not going to get into the ethics of this Company (Mossack Fonseca) or their practises, but I will certainly talk about their recent hack.
Basically, Mossack Fonseca’s system was compromised and a lot of sensitive data was stolen. Data which eventually made it’s way onto the web and into the public domain.
Obviously, Mossack Fonseca are keeping quiet regarding exactly what happened, but it’s looking increasingly more likely that the whole exploit was the result of an outdated WordPress Plugin.
So what was this plugin? It must have been a very important Plugin, surely? It must have been responsible for some kind of administrative function that was exploited? Some database query?
Nope. The plugin in question was a simple slider. Namely, an outdated version of revSlider. If you are using this slider, or more specifically, if you are using version 2.1.7, through to version 3.0.95, you are currently open to the same vulnerability – update it now.
In fact, if you have any outdated plugins – update them now!
3: Be DDOS Proof (Kinda)
DDOS is a popular problem now days. Even kids are smart enough to load up a botnet, aim it at a site and press fire. The results can be devastating to the owner of the site and the users trying to access the service.
A DDOS attack works by spamming the host (your) server with more requests that it can actually handle. The result of this is that your server is unable to serve the legitimate users requests and your users cannot connect to your website.
Although DDOS attacks are difficult to mitigate, a couple of services stand out way above the rest when it comes to protecting your assets – and both are extremely quick and effective at what they do.
Both have a great level of support and make a great ally in the battle against DDOS attacks.
Another good solution is Fail2Ban – but this takes a little more technical knowledge to implement. With that said though, the protection it offers from brute force attacks is fantastic and well worth the effort it takes to install.
4: Remember Third Party Bugs Are Also Your Bugs!
This is fantastic but you must accept that any bugs in these libraries instantly become bugs in your own system! We all like to think that the authors will solve the issue but you shouldn’t rely on this.
Where possible, you should avoid introducing buggy libraries full stop. Research a plugin before you use it. If it’s a wordpress plugin, check for any compatibility issues before you install it. Does it have any support tickets open and ignored? Does it have any feedback?
Spending a bit of time researching what you are thinking of using can save you a lot of headaches in the future. You wouldn’t let a builder build your house with broken bricks, so don’t build your site with broken code.
5: Pick A Reputable Host
This is important – your hosting provider owns the server where your website lives. This essentially means you are having to put an element of your livelihood in someone else’s hands. I approach a hosting provider in the same way I approach an online transaction. I’m looking for positive user feedback, I’m looking for server packages that my website will need and I’m looking at how good the support from the provider is.
In this area, spending a bit more can definitely make the difference. The last thing you want is a website that pings up and down all day. Surfers will very quickly lose patience with a site that keeps losing connection.
Some hosts can make life difficult for people if they want to leave too, so be sure to research your hosting company well and don’t be tempted in by the first deal you see.
Be aware when signing up to free period packages as sometimes these can work out more expensive once the free period has expired. Some hosts will also try and add suggestions to your package, so be sure to check which boxes are ticked whilst going through the signup process.
This list is far from exhaustive – it is simply five very basic website security tips to get you started. Website security is a massive thing and you can never take it too far. I’d like to leave you with a favourite quote of mine, from the FBI regarding IT security:
“The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one”
— Dennis Huges, FBI.
Ensure you keep yourself up to date on the latest cyber threats and definitely take action when threats that can affect your site turn up. Nobody is going to do it for you. You wouldn’t leave a broken window on your car or leave the house without locking the door would you? Why do the computing equivalent?
As the world moves on and new generations become more and more tech savvy, new and interesting hacking techniques will reveal themselves. Keeping your website safe is always going to be more difficult tomorrow than it will be today – what better excuse do you need to spend some time reviewing your website security and protection?
Don’t put it off till tomorrow – tomorrow never comes!