How to secure your website!
When a person owns a shop, they make sure to lock everything up when the day is done. For particularly valuable products, special roller shutters are sometimes lowered and alarm systems are activated. And even during opening hours, there are numerous ways to protect goods from unauthorized access. And online?
Of course, you should also add such security measures for yourself! In this blog post, we explain what you need to pay attention to so that your company’s online presence is well protected. Behind a website, there is usually a content management system (CMS) that allows the admin to access the website.
Use complex passwords
With a CMS you can edit both the frontend (the part of the website that is visible to visitors) and the backend (the behind-the-scenes technology and data). But they have to log in first. For that log in to the CMS, an admin should choose a password that hackers cannot crack easily – just like you would with all other online activities. Here, we explain how you can create complex passwords and manage them securely:
Stong passwords contain variety
As a first step, passwords should be at least (!) 8 characters long and should always contain a mixture of uppercase and lowercase letters, numbers and special characters. “The (German) Federal Office for Information Security” (BSI) advises to form a personal sentence (for example: “I prefer to eat pizza with four ingredients and extra cheese”) to develop a combination of letters and numbers that you can remember (in this case, for example: “IptePw4i+eC”).
But that doesn’t solve the problem that you need much more than just a password for the many accounts that you use every day.
You could now add an abbreviation at the ends of the respective account that represents the kind of account that it is (for example, WP for a WordPress website and GM for a Gmail account ). But is it possible to remember them all? More than likely, not. Some people write their passwords down in a text document or Excel spreadsheet. Not only is this cumbersome, but it is also still not secure.
Our recommendation is, therefore: Use password managers!
Password managers help you to remember
Password managers work like encrypted digital notebooks. They generate secure passwords and store them either locally, on the respective device, or in a cloud located on the servers of the provider. The advantage of using a cloud-based solution is that you can use the password manager on multiple devices – because all data is synchronized automatically and at all times.
There are various apps and software programs that allow you to organize your passwords securely. We, at codafish, prefer to work with Zoho Vault because this password storage is very easy to work with and contains a host of comprehensive functions.
A password manager needs security, too
Important: It stands to reason that a password manager would also need a password that allows you to have access. This so-called “master password” should be as long and complex as possible – as was described above. In addition, for the highest possible level of security, the latest updates to the password manager app or software should always be run.
Enable two-factor authentication (2FA)
Two-factor authentication (2FA, for short), during login, increases your online security. With this process, the person logging in has to overcome two hurdles (factors). Usually, the password is first queried. In the second step, either an SMS with a one-time code is sent to a smartphone, for example, or an authorization app would be needed with which you could confirm the action. Biometric data such as fingerprint or facial recognition (Face-ID) are also often used for this purpose.
Plugins for two-factor authentication are available for well-known content management systems such as WordPress, Drupal or Pimcore. Alternatively, there are various so-called authenticator apps that you can use to log in to your website or the CMS that powers it.
Secure your backend, as well
The content management system allows you to work on both the frontend and backend of your website. The backend is the area of a website that is especially worth protecting. This is where the technical system is stored and the databases that feed the content of your website are also located. It, therefore, makes sense to also protect the backend – and not just by means of a secure CMS login. There are several options available:
Set up extra login through Basic Auth
To protect your backend adequately, you can secure it with a server-based password. The admin area can only be accessed using an additional user-password combination. A well-known method for this is Basic Auth. In this way, you can protect yourself from so-called brute-force attacks (repeated short-term password attempts).
Hide the backend behind an alternative URL
You can also change the route of backend access. For WordPress pages, the backend can be reached via the suffix /wp-admin. Assign it a different URL instead, so replace the known route www.nameofyourwebsite.de/wp-admin with www.backend.nameofyourwebsite.de.
Allow access only via a VPN
You can also configure your backend so that only the members of a virtual private network (VPN) have access to it. A VPN is a self-contained network in which members can exchange data over an encrypted connection without being visible to others.
Malware is the shortened form of “malicious software”, which is harmful software that you should protect your website from. There are many anti-malware programs, often referred to as “anti-virus programs”, because malware and viruses are often used synonymously. But that is not quite true. Malware is actually an umbrella term for viruses and other harmful intruders (such as spyware, adware, ransomware, etc).
Our tip: Invest in software that comprehensively protects your company against cyber attacks. So make sure that it not only detects viruses, but also spyware, adware and ransomware, and destroys or, at least, repels them. Whether this is the case, however, cannot be determined simply by the name. Some anti-malware programs use the term, anti-virus, even though they are actually designed to act against other forms of malware. So, be sure to take a good look at the product description.
Check the admin permissions
How many people in your company have access to the content management system as admins? For larger companies, it makes sense to check these access permissions regularly and to ask yourself whether you really need ten administrators. Because admins have special privileges and every intervention also carries the risk of mistakes being made. You should, therefore, not distribute the admin rights too freely.
Do the website security check
1. Do you use secure passwords or a password manager that generates complex passwords for logging in to the CMS?
2. Have you enabled two-factor authentication for all logins?
3. Have you also protected your backend with extra logins, an alternative URL for the admin area and / or access through a VPN?
4. Do you use anti-malware programs that protect your business from digital attacks by viruses and other malware?
5. Do you regularly sort out unnecessary admin permissions so that only a limited number of people have access to the sensitive backend?
If you have answered, “Yes”, to all of these questions, then you can sit back and relax. Any “No” or “Don’t Know” answers, on the other hand, could signify a security gap. If you want to play it safe, we would be happy to support you!
codafish><>are your partner for secure websites
Play it safe with us! We would be happy to advise you personally on how to make your website secure and to help you to implement the measures. Would you like to learn more with no obligation? Simply fill in the contact form or call us directly: +49 30 666384800 or 00800 2632 3474