7 Easy Steps To Secure Your Website From Hackers | HostGator Blog

HostGator Blog

Web Hosting Made Easy!

Blog / Web Hosting Tips

7 Easy Steps that Protect Your Website From Hackers

Monday, February 6, 2017 by

Protect your website from hackers

As a website owner, is there anything more terrifying than the thought of seeing all of your work altered or entirely wiped out by a nefarious hacker?

You’ve worked hard on your website (and your brand) – so take the time to protect it with these basic hacking protections!

In addition to regularly backing up your files (which you should already be doing, for various reasons), taking the following seven easy steps will help keep your website safe:

Recommended WordPress Hosting

 

Step #1: Keep platforms and scripts up-to-date

One of the best things you can do to protect your website is to make sure any platforms or scripts you’ve installed are up-to-date. Because many of these tools are created as open-source software programs, their code is easily available – to both good-intentioned developers as well as malicious hackers.  Hackers can pore over this code, looking for security loopholes that allow them to take control of your website by exploiting any platform or script weaknesses.

As an example, if you’re running a website built on WordPress, both your base WordPress installation and any third-party plugins you’ve installed are potentially vulnerable to these types of attacks.  Making sure you always have the newest versions of your platform and scripts installed minimizes the risk that you’ll be hacked in this way and usually takes very little time to do.

WordPress users can check this quickly when they log in to their WordPress dashboard. Look for the update icon in the top left corner next to your site name. Click the number to access your WordPress Updates.

Check for WordPress updates

 

 

Step #2: Install security plugins, when possible

Once you’ve updated everything, further enhance your website security with plugins that actively prevent against hacking attempts.

Again, using WordPress as an example, you’ll want to look into free plugins like iThemes Security and Bulletproof Security (or similar tools that are available for websites built on other content management systems).  These products address the weaknesses that are inherent in each platform, foiling additional types of hacking attempts that could threaten your website.

Alternatively – whether you’re running a CMS-managed site or HTML pages – take a look at SiteLock.  SiteLock goes above and beyond simply closing site security loopholes by providing daily monitoring for everything from malware detection to vulnerability identification to active virus scanning and more.  If your business relies on its website, SiteLock is definitely an investment worth considering.

Note: Our Managed WordPress hosting plan has SiteLock built in, along with other features to help secure your site.

HostGator SiteLock Malware Protection

 

Step #3: Use HTTPS

As a consumer, you may already know to always look for the green https in your browser bar any time you’ll be providing sensitive information to a website. Most consumers know to recognize those five little letters as an important shorthand for security: they signal that it’s safe to provide financial information on that particular webpage.

PayPal SSL Certificate

If you have an online store, or if any part of your website will require visitors to hand over sensitive information like a credit card number, you have to invest in an SSL certificate. The cost to you is minimal, but the extra level of encryption it offers to your customers goes a long way to making your website more secure and trustworthy.

 

Step #4: Use parameterized queries

One of the most common website hacks many sites fall victim to are SQL injections.

SQL injections can come into play if you have a web form or URL parameter that allows outside users to supply information. If you leave the parameters of the field too open, someone could insert code into them that lets them hack into your database, which may well contain sensitive customer information, like their contact info or credit card numbers. Obviously that’s information it’s your duty to protect.

There are a number of steps you can take to protect your website from SQL injection hacks; one of the most important and easiest to implement is the use of parameterized queries. Using parameterized queries ensures your code has specific enough parameters so that there’s no room for a hacker to mess with them.

 

Step #5: Use CSP

Similar to SQL injections, cross-site scripting (XSS) attacks are another common foe site owners have to be on the lookout for. They occur when hackers find a way to slip malicious JavaScript code onto your pages which can then infect the pages of any visitors to your website that are exposed to the code.

Part of the fight to protect your site from XSS attacks is similar to the parameterized queries you use for SQL injections. You should make sure any code you use on your website for functions or fields that allow input are as explicit as possible in what’s allowed, so you’re not leaving room for anything to slip in.

Another handy tool you have to protect yourself from XSS is Content Security Policy (CSP). CSP allows you to specify the domains a browser should consider valid sources of executable scripts when on your page, so the browser knows not to pay attention to any malicious script that might infect your visitor’s computer.

Using CSP is simply a matter of adding the proper HTTP header to your webpage that provides a string of directives that tells the browser which domains are ok and any exceptions to the rule.  You can find details on how to craft CSP headers for your website provided by Mozilla here.

 

Step #6: Make sure your passwords are secure

This one seems simple, but it’s so important.

It’s tempting to go with a password you know will always be easy for you to remember. That’s why the #1 most common password is still 123456. You have to do better than that – a lot better than that.

Make the effort to figure out a truly secure password (or use HostGator’s password generator). Make it long. Use a mix of special characters, numbers, and letters. And steer clear of potentially easy-to-guess keywords like your birthday or kid’s name. If a hacker somehow gains access to other information about you, they’ll know to guess those first.

Password Generator

And make sure everyone who has access to your website has similarly secure passwords. Institute requirements in terms of length and the type of characters that people are required to use so they have to get more creative than going with the standard, easy passwords they turn to for less secure accounts.

One weak password within your team can make your whole website more vulnerable, so set expectations with everyone who has access and hold yourself to the same high standard.

 

Step #7: Lock down your directory and file permissions

Now, for this final technique, we’re going to get a little technical – but stick with me for a moment…

All websites can be boiled down to a series of files and folders that are stored on your web hosting account.  Besides containing all of the scripts and data needed to make your website work, each of these files and folders is assigned a set of permissions that controls who can read, write, and execute any given file or folder, relative to the user they are or the group to which they belong.

On the Linux operating system, permissions are viewable as a three-digit code where each digit is an integer between 0-7.  The first digit represents permissions for the owner of the file, the second digit represents permissions for anyone assigned to the group that owns the file, and the third digit represents permissions for everyone else.  The assignations work as follows:

  • 4 equals Read
  • 2 equals Write
  • 1 equals Execute
  • 0 equals no permissions for that user

As an example, take the permission code “644.”  In this case, a “6” (or “4+2”) in the first position gives the file’s owner the ability to read and write the file.  The “4” in the second and third positions means that both group users and internet users at large can read the file only – protecting the file from unexpected manipulations.

So, a file with “777” (or 4+2+1 / 4+2+1 / 4+2+1) permissions would then readable, write-able, and executable by the user, the group and everyone else in the world.

As you might expect, a file that is assigned a permission code that gives anyone on the web the ability to write and execute it is much less secure than one which has been locked down in order to reserve all rights for the owner alone.  Of course, there are valid reasons to open up access to other groups of users (anonymous FTP upload, as one example), but these instances must be carefully considered in order to avoid creating a security risk.

For this reason, a good rule of thumb is to set your permissions as follows:

  • Folders and directories = 755
  • Individual files = 644

To set your file permissions, log in to your cPanel’s File Manager or connect to your server via FTP.  Once inside, you’ll see a list of your existing file permissions (as in the following example generated using the Filezilla FTP program):

chmod 1

The final column in this example displays the folder and file permissions currently assigned to the website’s content.  To change these permissions in Filezilla, simply right click the folder or file in question and select the “File permissions” option.  Doing so will launch a screen that allows you to assign different permissions using a series of checkboxes:

chmod 2

Although your web host’s or FTP program’s backend might look slightly different, the basic process for changing permissions remains the same.  If you have any questions about modifying your folder and file permissions, please see this helpful link.  Don’t put off taking this important step – securing your site using all of these different strategies is a big part of keeping your site healthy and safe in the long run!

At HostGator, we have created a set of custom mod security rules to aid in the protection of your website. If you’re looking for a new hosting provider, you can click here to sign up for a great deal. For new accounts, we’ll even transfer you for free! After you’ve created an account, you just need to fill out the form here.

Kristen Hicks is an Austin-based freelance content writer and lifelong learner with an ongoing curiosity to learn new things. She uses that curiosity, combined with her experience as a freelance business owner, to write about subjects valuable to small business owners on the HostGator blog. You can find her on Twitter at @atxcopywriter.
19 Comments
  • HostGator
    19 March 2013 at 12:06 pm

    Be default all files and folders should be owned by your cPanel username and a group of the same name with only you assigned to that group. Given that circumstance, 644 for files and 755 for folders is ideal.

  • alnnasr
    19 March 2013 at 12:46 pm

    thanks bro

  • nexxterra
    19 March 2013 at 2:29 pm

    UMMM…. what about the obvious, always back up your site!

    • TaiwanFriendFinder
      12 April 2013 at 8:36 am

      which one u using ? dropbox ?

  • Cheap Vps UK
    21 March 2013 at 6:08 am

    Nice stuff,You right….website planners must ensure their scripts are very well planned and
    tested, especially those parts that deal with private information. In
    many countries there are now legal requirements to ensure the privacy of
    medical and financial records.

  • Lorenzo Orlando Caum
    26 March 2013 at 9:22 am

    Limit Login Attempts will temporarily lock out IP Addresses that make several failed attempts to get into your WordPress admin. Also be sure to keep your computer and browser up to date!

  • Krzysztof
    27 March 2013 at 9:24 am

    Dzięki za kształcący wpis

  • ramiszaro
    3 April 2013 at 5:55 am

    Thanks for the post this was awesome going to help me in further instructions .

  • Palak Bhalala
    13 April 2013 at 2:04 am

    I have 0700 for .cpanel and other default directories, for public_html and public_ftp I have 0750. I think its fair enough. is it?

  • Nashua Indigo
    24 May 2013 at 5:11 pm

    WP Better security can destroy your website if you don’t configured in a good, way, stay away from options like file detection and Ip blocks

    • Mitesh Ganatra
      1 September 2013 at 10:07 pm

      Yes, Its true. “BulletProof” is not bad choice either.

  • Honey Abdikarim
    4 August 2013 at 5:41 am

    how can i clean SQL injection showing in google and bing,Yahoo my website has been hacked but i have scanned and cleaned all Word press Files any help to clean showing problem in this networks,how to cleab up CMS SQL Injection Vulnerability

    please help me to clear this problem
    Regard;

  • b2sstores
    22 August 2013 at 4:35 am

    Thanks for sharing such a wonderful information, really appreciate it, my sites was hacked , now I know hot to protect it,
    Thanks again!

  • Mitesh Ganatra
    1 September 2013 at 9:55 pm

    The best explanation I ever came across. File Permission is something that I was not aware much but now I am. Thanks a lot.

    Most common causes for a hosting account to become hacked, or otherwise compromised. If you use WordPress, Drupal, Joomla or any other PHP-script, database-driven CMS then it is vitally important that you keep these scripts up-to-date. Failure to do so is literally an open door inviting hackers to gain access to your account. Updating these scripts is as simple as logging into the back-end and clicking on any “update” notification that appears therein.

  • Zain
    17 February 2017 at 11:31 pm

    Nice stuff Hostgator, You right…. website planners must ensure their scripts are very well planned & tested, especially those parts that deal with private information.

  • Olumide Bola
    2 March 2017 at 7:26 am

    Thanks for your explanation. How do you prevent someone from downloading files directly from folder through the browser after submitting the file’s folder in the browser address bar? Files like some pictures, ebook etc are supposed to be downloadable through a special downloading link provided and not directly from the folder.

  • steve
    2 March 2017 at 8:17 am

    good article…have done all this but if a hacker gets into your “root” via a bad proxy or unsecured socket layer…then ALL your sites will be hacked via cpanel WHM or DDS attacks (just went through this) HG will hep you to a point but when it comes to securing your reseller account or VPS or dedicated server? your on your own..and the learning curve is HIGH! Now, more than ever you need to hire an expert in securing your sites…
    i’m 25 years in the business..and still trust the untrusted now cloudflare..who recently got hacked 4.5M sites…
    I was one of the unlucky ones…200 clients of mine were hacked…now 30 days later..all good…God Bless Hostgator..my trusted host for over 14 years…

  • Magentomgmt
    28 March 2017 at 4:21 am

    Install SSL, have a backup, keep updated, use CSP injection, mantain multilayer security.

  • Leave a Reply