A Must-Have Website Security Checklist
Keeping robust website security is important for protecting your online presence and your visitor's data. While Bluehost provides a secure server environment, maintaining complete website security requires proactive steps on your part.
This article provides a comprehensive website security checklist and information on what to do if you suspect your site has been compromised, empowering you to safeguard your website effectively.
You can also visit our blog for more information about website security: Website Security - How to Protect your Website from Digital Threats.
Website Security Checklist
Here is a checklist of website security tips to ensure your website is as secure as possible.
- Remove Unfamiliar Malicious Files/Folders
- Update All Scripts/Applications
- Update All Plugins
- Change Passwords or Remove Unused Accounts
- Delete Unused Databases/Applications from Your Account
- Fix Dangerously Writeable Permissions
- Hide Configuration Files
- Tweak php.ini File
- Use a Secure Network
- Ensure Local Computer Security
- Secure Email Connection
- Use Anti-virus Applications
Remove Unfamiliar Malicious Files/Folders
While many PHP applications generate site files you may not be familiar with, it is important to watch for directories or files that may sound suspicious, such as 'wellsfargo' or 'abbybank.'
Update All Scripts/Applications
Old security holes are updated and remedied in new software versions. This means you should update to the newest versions available to ensure you're running the most secure option available. Go to the script's official site and subscribe to their updates list or security announcements list/feed.
Update All Plugins
Just because your applications have been updated doesn't mean the plugins you use have also been. Popular plugins for WordPress, Joomla, Drupal, and more are created for specific application versions. When updating your applications, make sure the plugins you're using are also certified to work with the newest version of your software. In addition, go to each plugin's official site and subscribe to their updates list or security announcements list/feed.
Change Passwords or Remove Unused Accounts
In case a hacker has one of your passwords for the following tools, make sure to change all of your passwords.
If your website has an administrative section or pages, change its password(s) also.
Delete Unused Databases/Applications from Your Account
Each database/application you have installed on your account is another possible point of entry for attackers. By removing applications/databases that are no longer used, you'll be eliminating the potential for those outdated scripts to be exploited.
Fix Dangerously Writeable Permissions
Most website files should be set at 644, and folders should be set to 755. This can be adjusted in an FTP client or manually changed in the File Manager by selecting the file and clicking on the icon at the top of the screen that says Change Permissions.
Hide Configuration Files
Moving your config.php and other files containing passwords to a secure directory outside of the public_html folder will make them inaccessible to general web surfing.
Tweak php.ini File
The php.ini file on your account adjusts how PHP behaves on your account. By adjusting the properties of this file, you can greatly increase aspects of your security. This file is generally located in your public_html directory. If you're unable to see this file, you may need to generate one manually. This will install a file in your public_html directory called php.ini.default. To make this file active, you will then need to rename it to php.ini.
- Tweak 1 - Set register_globals to Off.
- Tweak 2 - Set display_error to Off.
Use a Secure Network
If you're connecting to the internet using a wireless connection, make sure the wireless network uses a security method such as WPA or WEP encryption.
Ensure Local Computer Security
One of the biggest security holes in an internet site is accessing it from an unsecured computer. Viruses, malware, and key loggers can be installed on your computer covertly and used to obtain your username/password credentials or to infect your website files themselves. Practice good at-home computer security by regularly running a reliable anti-virus/spyware scanner.
Secure Email Connection
If you use an email application, like Outlook or Mac Mail, be sure to use SSL when connecting to the email server. This will help prevent the theft of sensitive information from your email as it travels from your computer to the email server. In addition, you should be able to view and adjust the connection settings inside your email application.
Use Anti-virus Applications
Here are a few high-quality, free applications that can help you maintain a safe, healthy computer.
Linux-based: Avast! Linux Home Edition
Mac: ClamXav
Windows:
What to Do if I Suspect My Site is Compromised
Finding out that your website is already compromised can be overwhelming and frustrating, but you're not alone and you have options. Bluehost does not provide direct malware removal services or troubleshoot infected websites, but there are various methods available for removing malware.
Professional Malware Cleaning Service
If you lack the time or expertise to remove malware from your website, using a professional service is a great option. Our security partner, SiteLock, can assist you in cleaning up malware on your site and offers proactive solutions to prevent future infections.
Visit the Website Security Protection for Small Businesses article to learn more about the SiteLock features.
Restore your Website
Another option for dealing with a malware infection is to restore your website using a backup created before the infection occurred. CodeGuard is definitely a must-have tool when starting your online business. It becomes handy when you need to quickly revert your website to its pre-infected state. Make sure to use the backup created before your site gets infected. Using a backup that is also infected will not resolve the issue, as it will simply restore the malicious code. After restoring your site, remember that any changes made after the backup date will need to be recreated.
Even after the restoration, your site may still have the same vulnerabilities that allowed the infection to occur. For this reason, it is important to implement additional proactive measures to enhance your website's security.
More information about CodeGuard is available in the CodeGuard: How to Protect Your Website article.
Create a New Site
If your site cannot be restored or repaired, a final option is to create a new website.
Summary
Our article presents you with a comprehensive website security checklist aimed at ensuring the highest level of protection for your website hosted on secure servers like Bluehost. This article provides a detailed website security checklist, outlining essential steps like updating scripts and plugins, managing passwords, and securing your local computer. It also offers guidance on what to do if you suspect your site has been compromised, including utilizing professional malware cleaning services or restoring from a clean backup. By implementing these website security best practices, you can effectively safeguard your website against digital threats.
If you need further assistance, feel free to contact us via Chat or Phone:
- Chat Support - While on our website, you should see a CHAT bubble in the bottom right-hand corner of the page. Click anywhere on the bubble to begin a chat session.
- Phone Support -
- US: 888-401-4678
- International: +1 801-765-9400
You may also refer to our Knowledge Base articles to help answer common questions and guide you through various setup, configuration, and troubleshooting steps.