Website security is essential if you wish to have a working site. There are automated robots everywhere on the Internet trying to hack into any system they come across. Even without being specifically targeted, every computer will have attempts made on it to hack into them. It is important that there are layers of security surrounding your site. You absolutely need a good firewall. Keeping people out is the first step of a good security program.
Password Protection
Set up good passwords. Use 8-10 character passwords consisting of upper and lower case letters, numbers and symbols. More characters is even better. Three or four word passwords are almost impossible to crack if done correctly. Correctly would mean not using a standard phrase or repeating words. Nonsensical phrases that you can easily remember would work best. Long passwords are better than short passwords. Don’t reuse the same password over and over. Use different passwords everywhere. If needed, get a password tool like LastPass or just a usbUSB drive to store them all and keep with you. A usbUSB drive with logins should be encrypted in case the drive is ever lost or taken. This is just a preliminary step.
Monitor Your Site
Next, you need to have a way to monitor your site to make sure it stays uncorrupted. At a minimum, daily monitoring is needed. Monitoring that checks every few minutes is much better. There are WordPress Plugins and Joomla Extensions that will help with security and monitoring. There are also separateseperate monitoring tools, both paid and open source that can help. Monitoring your sites is just as important as trying to keep them locked down. You need to know when someone does manage to hack in so you can do something to fix it.
Backups
Now we come to backups. It is essential to have a good backup system in place for those times when you must kill a site or a hack kills a site, and you need to bring it back up. If a hack is bad enough, you will sometimes be better off killing the whole site and bringing it back up from your backups. That is to make sure you get rid of all the parts of a bad hack. Many times, very bad hacks will hide away files that will enable them to recreate themselves in case the easily found hack files are found and deleted. In some cases, it is just not feasible to go through all the code on a site line by line to find these hidden files. Those cases are the times when you might kill a whole site to make sure you get rid of the hack. The problem then is to make sure that the backup you restore does not also have the hack or hidden files that were possibly hidden before the hack was activated. I have found hacks where the site was compromised and the hack not activated for a year. That type of hack is particularly hard to root out.
Even with the best security a site may still get hacked. Hacks will also hide in many different ways and new ways are constantly being thought up. That is why it is a good idea to use several layers of security and more than one monitoring system. If you have at least 2 monitoring systems then hopefully they will each catch some things that the other might miss. There are lots of website malware scanners and in cases where you already know you have been hacked, you might use several of them to try to make sure you have removed all of the hacked files and to ensure that your site is indeed, safe and malware free. A good regimen would be to have an installed security monitor and to do a couple more site scans with different tools on a daily basis. Vigilance is the price for a safe website. Firewalls, site monitoring, malware scanning and backups all come into play.
–Bob Hunt, Systems Administrator