Advanced Website Security

Over the last couple of weeks we have been taking a deeper dive into website security.  If you have been using our articles to improve the security of your website, we are gratified.

Today we are adding some advanced security techniques to your defensive arsenal.  Many of these solutions are specific to WordPress websites, but there are some that apply more globally.  Some of these ideas may require some outside professional help to implement, but if your business relies on your website, they are probably worth the extra expense.

  • Google Search Console – Formerly known as Google Webmaster tools, this is a free Google service that yo may already be subscribed to.  If SEO and page rank, are important to you, or if you are using Adsense or Adwords, you should be using the Search Console too.  Logon to your Google account, navigate to Search Console, and update your site information.  Create a new listing if necessary.  Among other things, Google will notify you if they detect malicious activity on your website.
  • WordPress security keys – You can use a plugin like Salt Shaker to change your WordPress security keys, or generate your own keys at WordPress.org.  Make sure to modify your wp-config.php file with the new key information.
  • Use .htaccess – Create your own .htaccess file or use a plugin, making sure to protect the WP admin area, password protect the WP admin folder, disable directory browsing, disable PHP execution in certain directories, and protect your wp-config.php file
  • Disable XML-RPC – Delete the xmlrpc.php file to prevent an avenue for password guessing attacks.
  • Disable PHP error reporting – PHP error reporting is used by developers for de-bugging.  But showing PHP errors to site visitors can reveal version information and possibly exploitable code.  Change the php.ini or wp-config.php file.
  • Use HTTPSBy July Google will begin telling Chrome web browser users that HTTP sites are insecure.  Adding a security certificate to your site to encrypt communications between your site and your site visitors is becoming an industry standard.  Costs have dropped, and free certificates are available from Let’s Encrypt.

Many of these items have lengthy and detailed procedures, and I have included links to the details below.  Our next post looks at how to clean a site that has been infected or compromised, and wraps up this series.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment