How do you prevent your website/blog from being hacked? Here we offer the best advice for website owners and bloggers who wish to protect their websites from hackers.
When a hacker plants malware/virus into your website, you will have hard time to remove it, eventually losing credibility from your readers. Malware can kill your business especially if it’s a blog.
Before your website is hacked, we shall advise you on the best way to protect it from online wolves.
Don’t open attachments sent on email unless you know the sender
When you have a business email, be careful not to open attachments you are not aware of the senders. If it’s not PDF, JPEG,PNG,Excel or Word attachments, don’t open please.
The worst attachments are those that come in HTML.If you identify such attachment, delete the email immediately.
Sign up for CludFlare
CloudFlare is one of the few companies that have helped website owners to keep malware at bay.ClopudFlare ensures that robots and bad traffic directed to your website is blocked.
Avoid using shared website hosting
Shared website hosting can sometimes work against you. Some companies don’t protect website owners. In most cases, if one website under shared hosting plan is infected, the virus spreads to other websites.
Many website owners are normally advised to use Virtual Private Servers, Dedicated Servers and WordPress Managed Hosting companies.
If you have a WordPress site, you can host at Kinsta, Siteground, Pagely or iPage.You can also host at Google or Amazon.
Stop using many Plugins
Plugins are useful but you have to stop using too many of them. Some plugins, though tested, are vulnerable to hackers. If possible, use the most essential plugins only-I suggest you use not more than 5 plugins.
The more plugins you use, the more you give hackers a chance to put malware into your website
Use a strong password
Another easiest way of preventing hackers from getting access to your website is by using a strong website. If possible, don’t use English words as your password, they are easy to guess.
Don’t share your password
You should be warned that when you share your password, you expose your website to the entire world.
You should also change your password regularly, we suggest you change after every two weeks or one month.
Install anti malware software
Another way of preventing hackers to inject malware into your website is to install antimalware software from major companies like siteguarding and CloudFlare.
Use HTTPS
In order to protect user data and website integrity, HTTPS is becoming increasingly widespread. At the dawn of the century, HTTPS sites were mostly limited to those that dealt with payment transactions and the transmission of other sensitive information. But in 2014, Google announced its HTTPS Everywhere initiative. The goal was to stimulate a wider adoption of HTTPS to authenticate a wider range of websites, while simultaneously highlighting the significance of website security.
According to Google, there are three main reasons why you should always protect your sites with HTTPS.
- Intruders both malignant and benign exploit every unprotected resource between your websites and users.
- Many intruders look at aggregate behaviours to identify your users.
- HTTPS doesn’t just block misuse of your website. It’s also a requirement for many cutting-edge features and an enabling technology for app-like capabilities such as service workers.
Use Premium WordPress Theme
Free WordPress themes are extremely vulnerable to hackers. If you have a viral website or a company site, buy a WordPress Theme that has been designed to offer maximum content protection
Prevent file uploads
Another important thing to do is to prevent file uploads from readers. In the comment section you have to approve a reader’s comment before it’s seen by other readers. Some hackers normally attach malware in the comment section such that if one of the readers clicks on the link, your website gets exposed.
Error messages
Be careful with how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don’t leak secrets present on your server (e.g. API keys or database passwords). Don’t provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only the information they need.
Keep the website’s software updated
If you are using WordPress or any other CMS, make sure you regularly update the software. If you are using plugins, make sure you use the latest version.
SQL injection
SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterised queries, most web languages have this feature and it is easy to implement.
Consider this query:
“SELECT * FROM table WHERE column = ‘” + parameter + “‘;”
If an attacker changed the URL parameter to pass in ‘ or ‘1’=’1 this will cause the query to look like this:
“SELECT * FROM table WHERE column = ” OR ‘1’=’1′;”
Since ‘1’ is equal to ‘1’ this will allow the attacker to add an additional query to the end of the SQL statement which will also be executed.
You could fix this query by explicitly parameterising it. For example, if you’re using MySQLi in PHP this should become:
$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’);
$stmt->execute(array(‘value’ => $parameter));
Sign up for Google Search Console
You also need to join Google Search console such that in case someone injects a bad code, Google will alert you.