When you start your website you are probably focusing on creating new content and getting visitors. While that is extremely important, you can not take lightly protecting your content and data. If someone takes over your server or installs malicious software you may loose all that you have created so far. In best case you need to roll back to the last non-infected backup.
Even if we don’t count the amount of data loss, you will need to spend time on cleaning your server, what otherwise you could spend on making more content or getting more visitors. The easy way is to make sure that you prevent these from happening, because it is always more effort to repair your server than to prevent an attack. We listed a few tips for you to make your server more secure, so you only need to worry on working on your content.
While this seems trivial there are a lot of cases where access could have been prevented with using stronger passwords. Try to use a strong password that is long and hard to guess. Use more than 8 characters, with non-alphanumeric symbols.
Don’t use repeating sequences in your passwords and do not use one password for more than one application. It is best not to store these passwords on devices that can be lost. Generally getting a password manager is a great way of handling your passwords. Also use two-factor authentication where it is possible.
Don’t use simple password login to your server. If you set up an SSH authentication you can reach your server on an encrypted channel where only the already set up private keys will be accepted. The public key will be stored on the server and each client will have a private key that proves that they are allowed to connect.
This method let’s you log in without a password and is much more secure. Setting up an SSH authentication is not difficult and makes your server much more secure.
A firewall is a software or hardware that controls the incoming and outgoing network traffic based on predefined security rules. This is usually done by granting and restricting access to ports. Only allow public access to ports that are absolutely necessary.
You can even make internal services to be inaccessible to unwanted visitors from the outside. Ports that are not being used is simply blocked entirely by most configurations. Firewalls and their usage vary, but setting one up should not take much time. You can find fine guides on the internet.
Using secure channels to access or communicate with your server is extremely beneficial. Good encrypted channels makes it almost impossible to listen into the data that you are sending (or receiving) to your server. SSH login was already mentioned to log into your server securely.
Transfer your files with SFTP instead of simple FTP. Web admin areas and web forms should be encrypted with SSL. If available you should use a VPN connection when you are accessing your server. A VPN app encrypts your whole online activity, making your work and web browsing secure. Avoid using public computers to access anything on your server, public computers are always carry the risk of being infected with malicious software.
Updating software can be time consuming and may need to check if everything works after a new version is installed. But they are there for a reason. Updates bring security patches not only new features, so it is important to install them.
If you want to make sure your server is secure download them as soon as possible. Security vulnerabilities usually get published to the public when the fix is already accessible and tested. Malicious parties will know about these vulnerabilities and try to exploit them, that is why an old system is vulnerable. Of course you can not do this in peak time, when visitors storm your website, because during the downtime you will loose customers.
Backups are an extremely important part of your security. When trouble happens you can count on old states of your servers to resume your work on. Make sure you make backups available at an acceptable rate (ideally daily), and store them at a safe storage.
Although many providers give free (or purchasable) backups with your plan it is advised not to store your backups at the same place as your main server is. If someone gets access to your server it is likely they can also get access to your backups as well.
The best case scenario is when you have an offline personal storage that you can store your backups at. You can check our guide on how to create a personal backup of your server. Don’t forget to maintain and check your backups from time to time.
When more people can login to a server (which is usually the case) it is hard to follow what is going on the server. It is important to log all major activities so you can follow back if something went wrong. Use monitoring tools to check the resources. If you see spiking activity on the CPU – for example – it can imply unwanted programs running.