How to keep your CMS website hacker-safe
You should not need to worry about server-side security (your web hosting provider should do that for you), but you do need to think about your website security, especially if you use a CMS to manage your website. CMS is short for Content Management System, and examples are WordPress, Joomla, and Drupal.
Here are some simple yet effective advices that will dramatically increase the security of your CMS based website:
- Use a secure password. It's a scary thing how many people still use insecure passwords for their CMS. It is the simplest thing for a hacker to apply a script that is guessing your password to get in to your CMS. Here are some guidelines how to create a secure password:
- Do not use words that can be found in a dictionary, not even spelled backwards.
- Do not include personal information such as social security number, birthday or name.
- Use at least 8 characters.
- Include both lower and upper case.
- Include numerals and special characters.
- Tooltip: Online Secure Password Generator
- Tooltip: Firefox plugin password generator
- Keep your CMS updated to its latest version. This cannot be emphasized enough. Most CMS providers work hard to identify vulnerabilities in their scripts and release security updates for you to download and install. Be attentive to these releases. Keeping your scripts updated is absolutely vital for a secure website.
- WordPress makes it really simple for you. The Dashboard (admin panel) notifies you whenever a new version is available and offers you an automatic update. (If it doesn't, your WordPress version is far too old. Update now!)
- Joomla: Subscribe for Joomla security updates by email here. Instruction how to upgrade your Joomla is found here. More Joomla Security here.
- Drupal provides an Update Status module which checks with drupal.org once a day to see if there are new officially released versions of Drupal and any modules that you are running. The module requires cron to work. If your web host does not provide cron, you need to check http://drupal.org/security/.
- Stay updated about vulnerabilities in third-party plugins. You probably use third-party plugins in your CMS website. The greatest vulnerabilities are often found in these add-ons.
- WordPress notifies you automatically about new versions if you visit the plugin section of your admin panel.
- Joomla provides a Vulnerable Extensions List. You can follow the updates via RSS.
- The Drupal Update Status module mentioned above also gives you security notifications about any modules that you are running.
- Check your file permissions. File permissions determine who can access and edit files and directories on the web server. Set the file and directory permissions so that only you can edit them, especially on configuration files. Learn more about file permissions
- Run it in PHP5 envoronment. PHP4 is obsolete. PHP5 is safer and faster. Most popular CMS's run just fine on PHP5, so make sure your web host has PHP5 enabled. If you host your website with us you can choose yourself between PHP 4, PHP 5.2, PHP 5.3, PHP 5.4, PHP 5.5, or PHP 5.6.