How do I protect my website from getting hacked?

Being in a digital marketing industry I support many clients to set up their blogs and website, and they often ask me how can I protect my website from getting hacked? I always say, it is your Karma that pays you back, how? Let’s understand it.

Initially, everything goes perfect for everyone, they get a new server, install all the necessary and latest web hosting software, install CMS. Since the site owner tries to keep things as cheap as possible till now they have only invested the hosting fees.

I am considering WordPress as a CMS software that is widely popular and used by many users worldwide. So, most of the examples will be based on that, but also applicable to other CMS as well.

Since no one likes the default theme setups so it is obvious that one will check out other themes. The bad stuff starts from here…

Hacked

So many cracked, nulled themes exist because there is a demand for that, otherwise why they are available. If you use free or bought themes all the time, then you are good to go. But trust me not everyone follows the same.

Assume, you liked a theme, you found out that it isn’t free.

Now you search for free download the same theme, later you came to know that a cracked or nulled copy of theme is available on the XYZ site and you take no time to download and install it on your site.

Congratulation, a virus has been injected into the server free of cost.

In the initial stage, nothing will look suspicious. So you take a chance and become worry-free. Similarly, you like a social sharing plugin that looks tremendously nice, but again that’s paid. Since the last time, things went well and worked for you so you again repeat everything and download the cracked or nulled script and install it on the site.

Congratulation, another virus has been injected into the server free of cost.

Now, nothing looks suspicious. So you think, I have original copy’s copy of that theme or script and you focus on other things.

Hacked

Few days have been passed, you have written and uploaded so many contents. You become a little famous too, getting decent traffic.

It seems that you have started a career out of your website. But suddenly you notice that all my traffic is redirecting to another website.

Now I can think of a site owner’s PANIC situation and how he asks for help in the various community. In my life, I have faced similar clients who have faced similar things to asks for a favor to recover everything asap.

But the sad side is any recovery takes some time, so the fresh success of anything that the site owner achieved vanishes instantly. See how a site owner killed himself.

According to my last year’s calendar, I helped 23 clients, and for the 16 clients, the case was similar. The rest of the clients were seriously attacked by some external factors so I am not writing about them right here but later.

How do I protect my website from getting hacked?

Now here are some industry-level tips you should follow…

1. Use the latest and genuine software.

While running a successful website, ensure that all the software is up to date.

Updates fix all the security issues and flaws present in the software, so I’ll highly recommend doing the same. If you are worried about any issue in an update like site breaks or stops working after update, better take a full site backup first.

Also, manually clear the cache after the software update. If you’re using any CDN service that caches your static files, then try to purge the cache there too.

About the use of real themes and scripts, I don’t think I’ve to explain any more; the above case is more than enough to understand.

2. Protect the admin section.

This is the second most famous case which we face, sometimes hackers successfully guess our secret key or anyhow bypasses the security hurdle of admin login. It is a common cause of using easy to guess password or using weaker administration settings.

If you do not protect the admin sections like login page, dashboards, or similar screens which is not meant to normal users. Better take some security measures here and limit the login attempts, or block the section completely except your home network.

I’ll also recommend you using a long and hard to guess passwords.

Or use a secure password manager.

You can take advantage of multiple login accounts like using an editor privileged account because most of the time you log in to upload new content only. Managing themes and admin sections is not a daily job.

3. Use a trusted firewall service.

Using a firewall can block the majority of the attacks made to your website. There are many free and paid options. Even with the free options, you’ll able to block all the common issues. I’ll personally recommend you Cloudflare, if you never heard of it, try it once.

You can achieve the same thing using a plugin too, but that’s a buggy thing which I’ll never recommend you. Instead, if you are using Nginx as a web server, of you have access to Nginx’s configuration file, better block things from there, it will be Ultimate safety.

If you are not aware of serverside stuff, take the help of experts, it won’t cost you much.

4. Use HTTPS or SSL certificate.

Using an SSL certificate that makes your website HTTPS-enabled also secures your website from stealing users’ data from middle man attacks. Often site owner thinks that using an SSL certificate is the ultimate security feature, but it is not.

SSL certificate just encrypts your connection which is hard or impossible to hack because it is encrypted end to end. In case the middle man successfully hacks the connection, the data won’t be accessible or readable anymore.

You should use HTTPS on your all the website.

These days obtaining an SSL certificate is free (thanks to let’s encrypt). You can read our guide for the same, just search for let’s encrypt in the site search.

5. Try to fix errors ASAP!

Technical things tend to show errors often is something is misconfigured or not done correctly. Always aim for all green indications and fix the red messages. These errors may appear in the admin dashboard, database, or any similar screen which is managed by an admin. All you have to do is fix them as soon as possible.

Attackers mostly target sites with weaker securities and they easily hack those sites using SQL injections or XSS (Cross-Site Scripting) attacks. You can use common security measures that will hide out all direct remote entry to the database.

For XSS attacks you can utilize security headers. If you have an upload section, similar to WordPress’s media upload option, then block the uploading of unnecessary files other than common ones like jpg, png, gif, or similar files.

Conclusion.

This is all, there is hardly anything more you can do at initial level. There are big problems like DoS or DDoS attacks but they are common with biggers sites like any eCommerce site or any successful and money making websites. So be careful and share this article with your friend who is in the same industry and unaware of these things.

Leave a Reply to Marcus Cancel reply

Your email address will not be published. Required fields are marked *

Responses

  1. Vinay Avatar
    Vinay

    Excellent article Atul. You just touched my heart. You have clearly mentioned what people do in their life. Even I did the same thing few years back (I was noob then) and paid a huge price for that. Many nulled themes and plugins affect the sites even after removing it. Once again thanks for the awesome article.

    1. AtulHost Avatar

      Thanks, liked the feedback. Stay tuned.

  2. Puneet Avatar
    Puneet

    I would rather add the following points too…

    1) filter the following items for any tag or script inclusion comments, search, login, upload file.
    2) Use ReCaptcha
    3) Use CDN
    4) Change the website login page
    5) restrict file permission to read-only
    6) upgrade platform/CMS/language to the latest version
    7) Encrypt my code/password

  3. Marcus Avatar
    Marcus

    You just nailed the topic with the real life fact. I too did the same mistakes when I was new in this field, but stays away from such things because my business is more important now. The important thing to remember about hackers is that they tend to target the low hanging fruit so if you make it difficult for them it is likely they will move on. Security should be your first priority.