We’ve put together some security tips that although are pretty basic are surprisingly not always followed. Like placing an alarm or CCTV on your family home, your less likely of a target compared to the house with no security, so taking the first steps to secure your website is essential.
1) Default Logins
So many times we’ve worked on projects that use “admin” as the default user, and more often than you’d believe “password” as the default login. Developers who create website projects can often lazily use these for convenience when starting to develop a project. It’s essential that the user “admin” is updated to something else, and that your password is changed to be a minimum of 8 characters, plus upper and lowercase, combined with numbers and symbols. We’d also highly recommend not to use solid words in your password. A password like this will significantly reduce your risk of being caught by brute force attacks.
Don’t use the same password for multiple services, and change your passwords often. Our team use 1password to help manage passwords across various devices.
2) Login URL
When you update your website does the URL you enter contain “wp-admin” or “admin.php”. These are some of the more common default URLs used to enter website admin panels. Changing these to something more complex means attacks are less likely to force their way into your website. To be even more complex and secure its also possible to lock down access to this file so that only your IP can access this which would strengthen your security even further.
3) User ID
The default user in a database has the user id of 1. Typically hacking attempts are made to inject database code to update the values of user id 1. This ID has administrative privileges at the highest level as it was used to create / setup the website, and the hack attempt would be to update the login email and password associated with this high permission account. Having your developer have this ID changed at database level will further tighten your security against hacking attempts.
4) Two Factor Authentication
If somehow a breach occurs and your security has been compromised how will you find out? Often when access has gained hackers don’t make any noticeable changes that can be seen straight away. Do they download private client data? Do they redirect payment gateways to land in their account?
Two Factor Authentication allows a tempory text/email sent to you with a six to eight digit number that is required on each successful login attempt. The digits change each time, and you have an email alert if someone does get your login credentials correct, meaning you know of any successful efforts.
Security on websites is a constant battle, but between solid best practices, regular website software updates and maintenance it’s possible to stay one step ahead of the majority of websites out there. If you follow the advice above, these tips will help reduce the risk of attempts of your security being compromised. Should you need help in implementing some of these practices feel free to get in touch and, we can advise on how to be more secure.