1. Blog
  2. Design
  3. Concepts
  4. Web Security
Web Security -  How To Secure Your Website

Web Security - How To Secure Your Website

These tips should help you secure your website and protect it's value.

Your primary goal in addressing web security should be covering your basic risks. You don't necessarily have to be at the cutting edge, the real goal here is not to be the "low hanging fruit". Here are a few tips that would help cover you no matter how your website or server is constructed.

Tip #1 - Shut Off Directory Indexing.

Index files are useful because of the information they provide and that's exactly why they're dangerous. Unless you are running a web site that's dedicated to serving out files for download, shutting off directory indexing is a good idea. You don't want someone hitting a folder without a properly configured default index file, because when they do they're able to see a full list of files in that folder. This means a visitors foot is in the door. Put simply - Directory Indexing allow outsiders to view and exploit files you did not want publicly accessible.

Use htaccess and this beautifully simple code to instruct your server to avoid indexing.

Options -Indexes

Tip #2 - Secure Select Folders

This tip applies especially to folks using CMS's, but anyone can secure a website folder easily. There are several approaches I've come cross, but I believe a well placed IP restriction is usually the best method in this scenario.

If you're using WordPress it'd be your wp-admin folder and for Joomla or Drupal it'd be administrator. What these folders have in common though, is that nobody else needs to see whats inside. Simply find which folder you want to secure, then add a file named ".htaccess", then add the following code...

order deny, allow
deny from all
allow from XXX.XXX.XXX.XXX

All you need to do is fill in your IP where all the "X's" are and you're ready to roll. What this code does is say - "Kick out everybody... except that one guy - he's alright". Don't know your IP? We like to visit Arul John to pick up this info really quickly (http://aruljohn.com/).

All things considered, this is a very powerful htaccess trick if you use it wisely. Basically you're forcing a hacker to spoof your IP or someone would need to be in your physical location to force access into that web folder.

Keep in mind that this method "is location based". If you'd like multiple locations to have access, you will need to add additional "Allow XXX.XXX.XXX.XXX" lines.

Tip #3 - Use SSL if Necessary.

If secure account access or payment process is needed, you should be using SSL encryption. Setting up SSL is not ultra-tricky, but make sure you're developer knows what they're doing. A little experience dealing with E-Commerce sites tells me that this isn't something to rush through. If you secure your website properly once, you won't need to do it again. Know what needs to be secured, how the doorway will be addressed, and over engineer when in doubt. Put plainly - Measure twice and cut once.

Also - Make sure you don't allow your SSL certificate to expire. It harms your brand more then you'll know. Nothing is less reassuring then expecting to see a "lock" and seeing a "red error warning" instead.

Tip #4 - If possible - Keep your Directory Root isolated.

Sub folders can be dangerous and you'd hate to lose your primary site because of some sandbox you built to play in. If able, isolate your document root to a folder or drive with nothing of value. Don't forget - some times web development isn't about what your provide, sometimes it's about what you don't.

Tip #5 - Shut off non-essential listen ports on your web site.

Shut down telnet, ftp, finger, and any ports you are running that aren't absolutely essential. Do a netstat -an | grep -i "listen" on unix, or netstat -an | find "LISTEN" on windows to find what ports your web server is listening on and try to shut it down.

Those are a few site security tips to keep in mind. If you have any other "must do" tips to secure your website, please leave them below. Be sure to take a quick look at the "htaccess" links below and familiarize yourself. Getting a solid grip on this one file can make your web developing life MUCH easier!

Related Articles
  • Apple Security Tutorial - Secure Your Mac from Hackers
    In the old platform debates, Apple security was always featured as a primary selling point. The truth is technology has caught up to the giant and frankly - a lot of people are simply not using all the existing Mac OS X security tricks of the trade.
    Apple Security Tutorial - Secure Your Mac from Hackers
  • Mastering RSS - RSS Submission Sites & Tools
    Content distribution is an overlooked aspect of blogging, so we created this quick guide to mastering RSS. By identifying leading RSS feed formats, top RSS submission sites, and a few of the best RSS reader apps, we can make your audience even larger.
    Mastering RSS - RSS Submission Sites & Tools
  • ReCaptcha Basics - Using ReCaptcha
    In this Google reCaptcha tutorial we cover the reCaptcha basics - What is reCaptcha, a start to using reCaptcha with PHP, code for a reCaptcha example, and how to fix a recaptcha not working properly.
    ReCaptcha Basics - Using ReCaptcha
  • Show Hidden Files on Your Mac
    Find yourself needing access to hidden files on your Mac?
    Show Hidden Files on Your Mac
  • The Absolute Best Lazy Load Javascripts
    In a field dominated by imagery, using the best lazy load javascripts possible can help you deliver amazing impact without becoming an absolute drag on your pageload times.
    The Absolute Best Lazy Load Javascripts
Written By:
Haeck Design
Raleigh, NC

Haeck Design was founded in 1999 in Raleigh, NC. They're a small, responsive design firm dedicated to creating high quality websites, logos, graphics, branding, print, and marketing materials all with a unique/minimal approach.

Haeck Design - Stamp Logo