It is all too easy to put a website online, get caught up in the day to day running of the website, and forget about maintenance. Unfortunately, when running a self-hosted website, your maintenance job never really ends. If you ignore software updates and other security and maintenance tasks, you may find your site compromised; you could be unwittingly hosting thousands of spam pages, infecting your visitors with malicious software, be flagged with a warning in Google, or find your entire site deleted.
In order to prevent security breaches, website hijacking, and spamming, it is very important that you or your website manager maintains an attitude of preventative security; while some security hardening should be done during a site’s initial setup, it is very important to stay regularly and continuously vigilant and aware of what is happening on your website & server.
Your regular security routine should include (but not be limited to):
- Off-server backups of your website files and databases (weekly, monthly, or quarterly, depending on how static your content is)
- Installing software updates in packages running on your website (it’s best to do this at least monthly, immediately after a backup)
- Checking your SERPs for unknown or suspicious looking URLs (you may find hidden spam content)
- Checking your website file system for unknown directories or files
- Checking your website’s source code for unknown or hidden content
- Changing your FTP and web hosting administrator passwords at least every 6 months
- Checking your website’s status in webmaster tools through Google, Yahoo, and Bing
In addition to a good security routine, it is also important to have a few bases covered ahead of time; I recommend everyone read Dr. Neal Krawetz’s “Better Than Nothing Security” blog post series, found on his Hacker Factor Blog. In this blog series, Neal provides very practical and easy to implement security ideas for all webmasters. Neal is a local Fort Collins computer security expert, and his blog is a great resource.
A few additional tips for good security:
- Whenever possible, use trusted networks when connecting to your web server or logging in to manage your website – coffee shop wi-fi is off limits!
- If not on a trusted network (or even if you are), use SFTP to connect to your web server, and make sure you are using an encrypted (https) connection when logging in to any type of website control panel (hosting, WordPress, etc).
By performing some initial security hardening, sticking to a regular security routine, and using good website management security practices, you can rest easy knowing that your website is very unlikely to be hacked or hijacked, and in the event that it is, you have a recent backup ready to restore.
Do you have additional security tips and resources for webmasters? Please let us know about them in the comments!