3 Simple Practical Security Tips

When we design and set up websites for our clients, we make a big point of talking to them about security. The stock response is nearly always “Why would anyone want to hack us? We’re not the Pentagon / Nasa / Insert Humorous Company here!”

Well guess what? Hackers like to hack websites just because they can…and it can be very disruptive and costly if you discover you have been hacked and don’t have a sensible disaster recovery plan. In this blog I am going to mainly talk about keeping a Content Management System (CMS) website secure, but the lessons also apply to any website architecture.

The first time we encountered a really serious hack was about some years ago when Simon and I were running the marketing department of a former client (Quindell). One day we turned up to work, switched on our screens, and instead of the familiar webpage we were expecting to see when we fired up our browsers we were greeted with a flaming skull, some arabic script, and a message that we had been hacked from Iran.

Oh Sh*t we thought!

Now we had not actually set up the client’s website, it was set up by another firm (in Joomla) and we took it over, and we discovered that the previous company involved had left the default administrator account as “admin”. This is a massive, almost comical, security hole.

TIP 1 – Always change the default administrator login name

Hackers use sophisticated scanning tools to look for websites built using common CMS’, then they try brute forcing the admin page using combinations of the default administrator account names. They scan installations of common CMS’ for previous versions as well, this often alerts them to the fact that the security of the website may not be up to scratch, and entices them in.

TIP 2 – Always make sure your CMS software is up to date

As well as the Admin name faux pas, the next silly mistake was the admin password, which had unbelievable been set as Password123…and someone was paid good money to set this site up ? Wow !! We always secure our administrator accounts with 31 digit randomised passwords. Yes it means that you cant remember anything off the top of your head – that is a good thing!.

A modern brute force software program can crack an 8 – 16 digit password in less than an hour, and it is a trivial task for most respectable hackers to leave several brute force programs trying the back door of several websites at once. A 31 Digit Randomized password (One that uses letters, numbers and symbols) can take centuries to crack…

TIP 3 – Always use a password with a combination of Uppercase, Lowercase, Numbers and Symbols – and make it 31 characters long if you can…

After manually combing through pages and pages of code, we finally returned the client site to its previous state and beefed up the security immediately. This was the end of our love affair with Joomla…

Now these tips may seem obvious but you would be amazed at the number of sites we have come across that don’t implement them, and it is normally only by luck that such sites have stayed online. In the next part of this blog, I’ll look at some more in-depth security tips specifically for WordPress.