Web Design

Website Security: Protect Yourself at all Times


I have carried out security fixes and patching for some of the highest turnover businesses online today, fixed countless compromised websites and even secured a WordPress website (one of the most hacked platforms) for the UKMOD.

Website Security is about balancing/mitigating risk. I take my web design projects seriously. I ensure they are built in a manner that accounts for the type of risks a client will be exposed to. This article has been built around the common mistakes I look out for.

If you are a business owner please ensure you never take security lightly. The damage that can be done once someone is on the inside of your website or server can be devastating.

I am currently in the process of making a product that reviews a website’s security, as part of an overall website health check. If you suspect your website is open to risk feel free to contact me. I won’t charge you for looking at it, a couple of quick tests could indicate if you’re open to attack.


Website Security Checklist – Tips on keeping your website safe

1. User Error

Research any articles on hacking and security and you will soon learn that “human” error is the number one area of security that gets exploited.

This happens for a few reasons:

  • Lack of Knowledge – No one expects a normal person to know about security in depth. There is, however, a concerning gap in knowledge in this area when it comes to things like password choices or how those passwords are stored.
  • Memory – Most passwords are too short, too obvious and if they get a little more complex you find people start to write them down, in their phones, or on post-it notes. This allows others to gain access to their websites through routes that may not even have been considered risks.
  • Bad Choices – A lot of passwords follow trends, nicknames, family names, kids birthdays, football terms and 123, or various combos you see all the time. Most sites can be accessed with very little effort because passwords are selected from common words or numbers that relate to the user.
  • Updates on Hold – Are you one of those people that put off updates for your virus scanner? Or software on your computer. We are all busy and it’s easy to overlook the updates as it can feel like we are endlessly stuck in a loop updating the various tools we use. The reason why the updates are needed though is to “patch” issues that have been discovered. If you don’t update then you have just left the door open to your website or computer.

2. SSL and HTTPS://

In the future all websites are likely to sit on HTTPS:// which is a secured protocol better suited to protecting your website from getting scammed or exploited.

You might have seen an SSL certificate and not realised it, many of the most well-known brands will be on https://. One way to tell is in the web address itself. The other common way people look out for security is to see if there is a padlock present.

Clicking that padlock (most likely something you’ve not noticed you could click on until now) allows you to view “Details” about the security of the website. It should lead you to a page that looks like this:

Secure Website SSL

If you shop online or have personal details being placed on a social network or ecommerce store that does not have these in place then stop and use another store.

Hackers use a tool called a “listener” that sits between you as a user and the websites hosting. It can read credit cards, names, passwords, and other sensitive information as it’s being typed into the website.

HTTPS:// prevents this from happening which is why it has become a trusted standard for online stores and payment gateways worldwide. To setup SSL/HTTPS:// you will require an SSL certificate which you can find cheaply here: https://cheapsslsecurity.co.uk/ and also a dedicated IP address for the secured address.

Website Security Tip: Don’t allow your users to get exploited, if you take card details or sensitive information on your website ensure that you have an SSL Certificate and HTTPS:// address.


3. Declaring How To Exploit You

I used to work a lot with the public sector. One of the best clients I ever worked for was the UKMod. Not from a design or project standpoint but from what I learnt about security. This was the first time I had to pass a “Penetration Test (PEN)” which is a scan that goes over the website and looks for ways it could be exploited.

If you have ever used a WordPress template or know people that do, you will have likely also heard the horror stories. While WordPress drives 25% of the world’s websites it is also one of the most heavily exploited services within the CMS space.

Now you might wonder, how exactly does a hacker know what version you are running?

If you asked that then you are thinking along the right lines.

Your WordPress website is a tattle tail, it reports in various locations what version you are running. The RSS feed, the WordPress header, the default post and the default plugins. In order to protect yourself, it is best practice to remove these “tells” from the PHP template files.

How do you know you have got them all?

Go to http://builtwith.com/ and type in your URL, regardless of what you run as a CMS if BuiltWith can tell what your running then hackers can. If you run Loudon Design through BuiltWith you will notice it can’t detect what I use http://builtwith.com/loudondesign.com

That’s not some fancy trickery that’s me actively removing a risk from my website. I know what CMS I use, I have no reason to share if my sites not fully up-to-date. This buys me additional time and allows for me to have an extra layer of protection.

Website Security Tip: Remove the versions and CMS declaration from your website. Test with builtwith.com for free in order to see if you caught them all.


4. Admin path remaining standard

The admin path is the page you log in with to get into the CMS. Step one would be getting this page at a minimum behind https:// but even if you have it there you can protect yourself further by changing the path.

Let’s take a look at what we know. These three links would be the URLS used if I had the site running Joomla, WordPress or Drupal.

  • Joomla www.loudondesign.com/administrator
  • WordPress www.loudondesign.com/wp-admin
  • Drupal www.loudondesign.com/?q=admin

Knowing where the admin is located gives yet another tell towards which system you are using.

Website Security wp-admin

www.loudondesign.com/wp-admin is what my website was built with however I manually moved it to increase the security of the website.

www.loudondesign.com/192168001 Offers a lot more security in this regard (not actually what I use). If you set this page up to not be crawled by google and have it sitting on a memorable phrase or number you will cut down attempts at breaching your website.

I remember watching a documentary on car theft. The ex-criminal had stated that they would steal cars that had the wheels aligned parallel to the kerb. Rather than the cars that had the wheels turned in towards the kerb. That might not be obvious to people like you and me who do not make a business of stealing cars, to them it was simple.

When you steal things, you want to go for the easy target. Anything you can do to make it a little harder protects you by a huge amount more than leaving everything as default.

Website Security Tip: Move your admin URL, and set up your robots/metatext to prevent search engines from indexing the new path.


5. Admin accounts name

How many admin accounts do you think are called admin or [email protected]? I don’t know the numbers, however, this is how the majority of CMS systems are configured.

This is where the security risk comes in. If I know your username I am already way ahead of the game when it comes to getting into your website. If I get into your email I can reset your password just with the username. So what you want to do is use a random email address not [email protected] and then delete “admin” as a user from the backend of the CMS.

You can change it to something more complex for example: admin-192168001 if you wanted, but never leave this as default.

Website Security Tip: Don’t leave your admin username as admin, do not use your company email [email protected] as your admin account, or your own business email. These details are too easy to get hold of. Better to make it different so that it’s harder to guess or obtain.


6. Don’t Disable, Delete

Most agencies, freelancers and amateur web designers make the mistake of disabling rather than deleting. WordPress comes with some default plugins already sitting ready to be used. If you do not use a plugin then remove it.

Why remove the plugins if not in use?

This was pretty surprising when I first saw it, but disabled plugins still have PHP files that can be visited on the server. They reveal the version of your website and can be used as a back door to get into the admin area of the website.

Website Security Tip: If you have something disabled you don’t think about it, however even these disabled plugins need to be fully up to date. It’s easy to add plugins so get into the habit of removing rather than disabling things.


7. Plugins that help with Website Security

The best plugin I have come across for security on WordPress is a plugin called “WordFence”. It will alert you to risks, and notify you by email when your website or the plugins you use are out of date.

Website Security Wordfence

It can feel like a pain to keep your website fully updated, but coming back from a hacked website is a much bigger headache. It only takes a few minutes a week and you just have to log in and click “update” next to the plugins it tells you.

Website Security Tip: Install Wordfence into your WordPress website, it will save you having to check things manually and will make keeping yourself safe a lot easier.


8. No firewall

Servers are just like big hard drives, they come in various flavours some with amazing security some with the bare bones to keep them cheap. Your website needs a firewall to protect it from attack. Things like DDoS Attacks can cost businesses a lot of money. Having your website setup with a firewall and larger cache network will allow you to better mitigate those types of risks.


Web Security Conclusion

Security is a big deal, while I have tried to keep this article down to earth the risks of not having your website secured could cost you your full website, or irreparably damage trust with your customers. Most of the nine points listed above can be done for free as a DIY, or you can hire someone like myself to make the changes for you.

I would personally rather be helping prevent attacks happening to your website than reforming the website from the damaged remains of an exploited website. If you are unsure if your website is secure or not I would be happy to run a few tests for you. I won’t charge you for doing this. It just bothers me to see people getting hacked when it was preventable.

If you would like a more in-depth scan and reports you might be interested in a new Website Health Check service I am offering.