There's been a lot happening in the news recently about stolen passwords, breaking into sites, and other illicit activity. It's important to understand that it's not if you get targeted, it's when. Unfortunately, this is the simple truth of living and doing business in the Internet age. While you may not be able to stop every attempt, it is possible to protect your Web site with some simple steps and easy to install software.
STRONG PASSWORDS SAVE LIVES
Perhaps not literally, but when it comes to strong passwords, it can be your business' reputation that is on the line. Passwords are your first line of defense and there are plenty of how-to articles available to help you make better passwords. A recent favorite of ours was published in August 2014 by the online edition of Wired Magazine's: Follow These 4 Easy Steps to Toughen Up Your Passwords. The best tip is to use a password manager. We love LastPass, but there are many options available, so choose whichever you find the easiest to use. A good password manager will have, at a bare minimum, a password generator and will store passwords encrypted as an added layer of defense should the password manager service somehow be breached.
The benefit of a password manager is that it's nearly impossible to break the cardinal rule: never use the same password on multiple sites. Since you can generate each password using the password manager, you can generate longer, stronger passwords and let the software do the work and keep track your login information for you.
PROTECT YOUR KEY MAN
And by "key man", I mean your Web site. Most Web sites are run on some sort of content management system, usually Joomla or WordPress. Because Web sites are almost all running the same content management software, they frequently have the same vulnerabilities. They also have administrative functions that need to be protected. Thankfully, extensions are available for both Joomla and WordPress (the WordPress community refers to them as "plugins"), some of which are free, to protect your Web site further.
- Brute Force Stop (Free)
- Encrypt Configuration (Free)
- Akeeba Admin Tools (Paid, free version available with limited features)
- RSFirewall! (Paid)
These four extensions (all for Joomla) all offer some form of protection. The first two, both free, protect against some of the most primitive attack vectors. Encrypt Configuration should absolutely be installed on any Joomla site that isn't running over HTTP Secure (HTTPS/SSL). That said, you should consider making the necessary investment in running your site over HTTP Secure, even if you don't plan on hosting any kind of online ecommerce in the near future. You can get an SSL certificate for around $50 per year, so the cost is minimal - just talk with your Web team about getting it ordered and installed. Google recently started boosting the page rankings of sites which implement HTTPS, so it's in your favor and gives your SEO a little boost as well.
BACKUP EARLY AND OFTEN
As I mentioned earlier, it's only a matter of time before your site is targeted and breached. It's important to have regular backups made and stored somewhere (not on the same server as the Web site itself). There are some utilities which can perform this task for you, then upload the clean snapshot of your site to a cloud service such as Dropbox or Google Drive. Akeeba Backup (Joomla) and BackupBuddy (WordPress) are two that we have used in the past and are relatively easy for anyone to setup and use.
These are just a few things anyone with a Web site and some basic knowledge of how to manage it can take toward protecting their best online marketing tool. There are many others which your hosting provider probably takes care of that you don't even know about (and don't necessarily want to). If you're unsure about any of the options I've discussed, get your Web team involved (if you don't have a Web team, send us an email). It's why you hired them and it's in their interest and yours to make sure the site is protected.