1. Home
  2. Security
  3. How do I make my website more secure?

How do I make my website more secure?

Spending time hardening the security of a website may sound boring compared to creating content and adding new fancy features, but it’s still something you should do. On one hand, it’ll spare your future self from having to spend hours on cleaning up after a hacker attack, and on the other hand it prevents more dire consequences. If you, for example, run a webshop, all your clients’ data may leak in the even of a hacker attack – data that later on will be sold on the black market.

If your website gets infected, it also endangers your visitors; their equipment may get infected by malicious software that try to steal their data, credentials or other information that can be used for extortion or plain robbery. The latter is a definite risk if the infected machine is being used for banking.

Your website may also go completely offline due to the attack, which in turn means that you will lose income and your place among Google search hits. All of this can make your customers mistrust you, and may also lead to that Google will flag your site as dangerous and block access to it.

However, making your website itself secure can never be your single goal: security is always about the weakest link. For example, if you’ve spent loads of time hardening the security of your site, but manage it via a computer running Windows XP (that has not been updated for years), your computer itself may be hacked or infected and used for infecting your website and subsequently your visitors.

Passwords

Password management may be the most important point when it comes to security, but it’s also the most tedious. Considering that we nowadays have accounts on perhaps hundreds of services, it’d be impossible to keep unique passwords for all of them memorised (you should never use the same password on multiple services). Therefore, you need to use a password manager of some kind.

A password manager is a piece of software that saves and manages your passwords for you. The software is then protected by a “master password” which is required to access the passwords stored within. This yields that you only need to remember a single password, yet remain safe – as long as your master password is a strong and secure one.

A few popular password managers that all work well is listed below:

There’s a plethora of password managers available, and quite a number of them are built very poorly. This makes it easy for a hacker to decrypt the passwords from the password manager. The ones listed above are well-known and has proven their worth during a long time. They work, and they keep your passwords safe.

Password managers are only as safe as your master password. Therefore, we encourage you to select one that’s at least 12 characters long, using both letters, numbers and special characters. Never use your master password anywhere else.

The passwords you save in your password manager should be at least 20 characters long and completely random. All the solutions mentioned above have built-in password generators you may use to create new and unique passwords.

Install updates

Installing updates is never fun or interesting, but it has to be done. And when we say install updates, we do not only mean on your website, but on all equipment you use, such as:

  • Your operating system (Windows, MacOS, Linux).
  • Software you’ve installed on your computer. Programs using for Internet connectivity is especially important, e.g. your web browser (Chrome, Firefox, Opera, etc).
  • Your mobile phone, both the operating system itself (Android, iOS), and apps you’ve installed.

Then, of course, it’s extremely important to keep your website updated. If you run a CMS such as WordPress, Joomla, or Drupal, you have to keep it up-to-date. WordPress is especially vulnerable since it’s so popular, and newly-found security issues will be exploited within minutes after information about them has been released. The following needs to be updated on your website:

  • The installation itself. You can see your current version via the admin interface of most CMS’s.
  • Plugins, modules, components etc.
  • Themes.

Since WordPress 5.5 was released, it can update plugins for you automatically (either all plugins, or the ones you’ve selected). This will help you keep your website safe, but keep in mind that some updates may cause features on your website to stop working. For more information, please refer to this page (under Security).

End of life

For a software developer, it costs time and money to keep software updated. Managing multiple versions of the same software and keeping them up-to-date with security fixes requires even more time and money. Therefore, older software stops being updated by the developers after a certain period of time.

It’s important to not use any software that has passed its end of life date. If a security issue is found in an older piece of software that is past its end of life, it will not be fixed, and hackers may easily utilise it for attacks.

An example of this is Windows XP, that is still being used in a large part of the world but has passed its end of life (therefore not receiving any updates). In this case, you really should upgrade to a newer version of Windows that is still being maintained by Microsoft. It may not be necessary to upgrade to the very latest version, but at least to one that is still being actively updated.

The same is true for a CMS. For example, new security fixes will be shipped for Joomla 3.9 for two years after its debut, even if Joomla 4.0, 4.1 etc has also been released. Hence, you can continue to use Joomla 3.9 for a while, but it’s important to upgrade before those two years have passed.

A developer may also abandon a software or plugin completely, which unfortunatelly happens to a few CMS’s every now and then. If this happens to a piece of software or a plugin you use, make sure to change to one that is still being maintained.

Do your cleaning

Attack surface is a term that often pops up in regard to security. For example, if you’ve installed WordPress but haven’t added any plugins or themes, that site has a small attack surface. A hacker can only attack WordPress itself. But if you’ve installed a plugin, the hacker may attack the plugin as well, increasing the attack surface. A larger attack surface means that there are more ways to perform an attack.

Because of this, it’s important to clean out software that you do not use. This will decrease the attack surface. For example, if you once installed a plugin on your website, but no longer use it, uninstall it so no hacker may use it for attacks.

The same is true for themes. If you run WordPress, it’s shipped with a couple of themes preinstalled. Uninstall the ones you don’t use. Preinstalled themes in WordPress is a commonly used target for attacks, since they are present on a large number of installations.

Deactivating plugins and/or themes isn’t enough, you have to uninstall/delete them.

The same reasoning is true for your computer, mobile phone etc; uninstall software you don’t use.

Antivirus software

The irony of telling you to install additional software right after we’ve discussed that you should clean out as much as possible is not lost on us. However, certain software is necessary, and an antivirus program is one of those.

As a computer user, you are probably acquainted with antivirus software run on your machine, such as Norton, F-Secure and Kaspersky. It’s great to have an antivirus suite on your computer, however we do not recommend the ones just listed. Recently, it has been demonstrated that they instead make your computer less safe by increasing the attack surface (please refer to the section above regarding attack surface).

If you run Windows, we recommend Windows Defender (which has been a part of Windows since Windows 8), and for MacOS we recommend Sophos.

As a Windows user, you should not run as an administrator. Instead, create a separate administrator account that you only use when needed. Then set your “normal” account to a limited one.

There are many antivirus/firewall solutions for different CMS’s. For WordPress, we recommend iThemes Security and for Joomla Admin tools. You can use the free version of Admin Tools, but to gain access to the security features, you have to pay for Admin Tools Pro. We have tried Admin Tools Pro, and consider it money well spent.

Two-factor authentication

Two-factor authentication (2FA) is used when you’re about to log in somewhere. You may for instance activate it on our Client area. 2FA means that you have to enter two different factors to log in. In total, there are three different factors: something you know (a password), something you have (a physical item, such as a credit card), and something that you are (e.g. a fingerprint).

Usually, you only use one factor when logging in: something you know (a password). Lately, it’s become increasingly popular to use an app in your mobile phone that generate codes – your phone has become a factor (something you have). When you log in, you need to enter your password, and also a six-digit code that your phone has generated.

We recommend that you add 2FA to your website. If you run WordPress or Joomla, it’s easy to get started. For WordPress, you can install the plugin Google Authenticator to add the feature, and Joomla has it built-in.

Then, your need an app on your phone that can generate the codes. Even if the WordPress plugin mentioned above is called Google Authenticator, you don’t have to use the app with the same name. You may instead use e.g. Microsoft Authenticator or any other app that you like as long as it has support for the same standards.

iOS apps
Authy
Google Authenticator
LastPass Authenticator

Android apps
Authy
Google Authenticator
LastPass Authenticator

Further reading

If you want to know more about hardening your website and making it more secure, the documentation regarding this is vast for the most popular CMS’s. You find a few of them here:

Was this article helpful?

Related Articles