One of the common questions we get from clients (and potential clients) revolve around website security; what are the dangers, and what things can be done to minimize risk. For the sake of this article, we'll focus on two CMS (content management systems) - Joomla and Wordpress - and things you can do within 24 hours to tighten security and minimize risk for a more secure web.
Tip 1: Be selective of the plugins
Thumbing through extensions (in Joomla speak) or plugins (for Wordpress) can be like being stuck in the Mall of America for years. Like shopping for a toothbrush, there are hundreds of options that do similar things. Need functionality for a slideshow - there are thousands of options. Pick one that:
- Relies on 1-click updates (e.g. you don't need to manually install each time). However, you don't want something that automatically installs, as this may break your site.
- Has auto-notifications when an update is ready.
- Has a long track history of reviews.
- Has a developer-backed team that's committed to providing updates/ patches when they become readily available.
Tip 2: Keep number of plugins at a minimum
Do you really need that weather plugin that tells your users that it's raining outside their office window? No, you don't. Do you need a plugin that auto-plays music? Not unless you really loathe your users. Keep your plugins tight and essential. The more you have, the more you'll need to manage and keep updated.
Tip 3: Stay updated for a secure web
With Tip 1 and 2 stated above, the number one reason of site attacks/ malware is due to an outdated CMS or its extensions/ plugins. If you cannot manage this, then find someone who is. Otherwise, you're asking for a hack - and there are no winners in that situation!
Tip 4: Site level backups
So there are a few different types of backups, which we'll get into during this article. The first is site-level backups. This is when a backup is made and stored directly on the site (say in a "backups" folder located in your site's file directory). For Joomla, Akeeba Backup is tremendous. For Wordpress, go with Jetpack.
In addition to on-site backups, the two tools listed above will also allow remote backups (e.g. placing the backup on 3rd party storage such as Dropbox).
Tip 5: Server/ Cpanel backups
So if your site is compromised, having an on-site backup may not do the trick. Therefore, always have Cpanel/ Plesk backups (you don't need to know what these are, per se, but simply ask the question of your hosting provider, and ensure these are in place. I'd recommend rolling backups on a 3-daily, weekly, and monthly level. Again - you don't need to know the details; but you need to know the questions to ask for a more secure web.
Tip 6: Server image backups
This is when your host will take a snapshot of the entire server, and place the copy on an entirely different server. This is good for catastrophic events, and is somewhat of a last resort.