June 24, 2015
CMS Security Best Practices
We Fix Over One Hacked Website Per Day.
Research estimates that 30,000 websites are hacked each day with most of the sites belonging to small businesses.
Visit our blog post: "Top 21 Best Practices for WordPress Security"
to help minimize this ongoing problem we have developed a new list of security best practices which you can implement on your website, no matter what CMS you are using. We recommend you implement these solutions to minimize the chances of your website being compromised.
Top 14 CMS Security Best Practices
- Use a strong password. It takes only 10 minutes to crack a lowercase password that is six characters long. If you add two extra letters and a few uppercase letters, that number jumps to three years. Add just one more character, some numbers and symbols, and it will take 44,530 years to crack.
- Use current software. When a new version of your CMS is released, installing the updates will reduce vulnerabilities and help keep your site secure.
- Use current plugins. We have seen a huge increase in attacks through out-of-date plugin software.
- Out-of-date themes. Check often for updates on the theme you are using. A hacker can sometimes access your website through outdated theme files.
- Remove disabled plugins and themes. It is best practice to remove any disabled plugins or themes. If they aren’t being used, there is no good reason to keep the code on the website.
- Do not use “admin” as your username. Most CMS’ will use “admin” as the default username. This is a common target for hackers because they already know the user name; they just need to figure out the password. A unique username and a strong password is the best combination to prevent brute force attacks.
- Remember to LOG OUT. It is important to log out when you are finished editing your site.
- Lack of security plugins or software. There are several good tools available which will help protect your website - some provide a summary of what you can do to protect your site even further. Make sure any third party plugins you add to your site are from a trusted source.
- Use two-step verification for admin user login. Some content management systems provide this and if not, look for a plugin.
- Login error messages. You should customize the error messages on your login screen because a hacker can tell if they have the user name or the password wrong - or if both are wrong.
- Login attempt security not in place. After a user fails to login a set number of times, they will be locked out.
- Insecure web hosting. Always ensure that the hosting company you are using is secure and reliable. Shared hosting plans host multiple websites on the same server space. Another website on the same server space could be the source of infection if a web hosting company is not monitoring their sites or servers properly.
- Dedicated servers need to be kept up to date. Be sure your servers are running the latest OS. Also ensure your servers are protected by a firewall and anti-virus software.
- Hacker code. Be wary of any code you place on your site. Hackers love providing code on online forums and instructional websites for the purpose of gaining access to your website.
Why Are So Many Sites Getting Hacked?
Next issue we will discuss why so many sites are getting hacked, what the hackers are trying to accomplish, the damage that might have been done and the best practices for recovering from an attack.