Web Burble   How_To_Build_A_Website


How To Create A WordPress Website

speed up outlook

go tour thailand

security backup

How Can I Enhance My Website Security?

Spambots and Hacking are extremely prolific and a scourge on the Internet. Not taking measures to enhance your website security can have severe and long lasting consequences.


Confidential data can be downloaded, released to the Web and possibly sold. User names and login password details of your website are used to gain access to the administration area of your website. Your website can be turned into an email spammer, web pages and databases can be deleted or modified.
Being hacked can destroy any good reputation built up with search engines and your visitors. Your website can be blacklisted and blocked by search engines. Applying for re-consideration to search engines can take considerable time and effort.


One tactic is when you are personally targeted by hackers. They obtain personal information on you using sources such as a company website which may have your name, email address, fax number and possibly mobile cell phone number. Facebook and other social and business media can be scraped for personal information, including information on who is your spouse, children, friends, and their data is also collected. Hackers could send a text message to a mobile cell phone, or a fake email that looks genuine but impersonates some organization such as a Bank, business or business associate, family member or friend. You may get a bogus phone call from "security" to verify your password for your website login is correct, but this is a hacker.


Secure Protocol HTTPS

Using a HTTPS website is a method of encrypting data between your site and the recipient for secure communication. Your website needs to provide a valid certificate signed by a trusted authority. This is especially required if using a payment page that requests credit card numbers, prompts for credentials such as user name and password, or communicates highly confidential information such as medical records, financial information etc.


PayPal is already a secured site if you are using this payment method and is a good solution for a payment portal. Your website would be re-directing the visitor to the PayPal site which would then re-direct back to your site once secure payment has been completed. There are also other payment portals available. Obtaining an SSL Certificate is required and your website and/or business needs to be validated depending on the certificate obtained. The certificate is installed onto your web server. Your address would use the  HTTPS protocol instead of HTTP.


Note that you will need to ensure content such as images will need to be referenced with their links using the  HTTPS:  protocol. For example, any image on a web page or in an article will need to have a   https://www.webburble.com/images/logo.png   link instead of  images/logo.png    or    http://www.webburble.com/images/logo.png
An exclamation mark will display on the HTTPS security lock symbol (Firefox browser) instead of a green HTTPS security lock symbol if all content is not encrypted.


Login Credentials

Logging into your website is when you use credentials to validate you have permission to enter. Your credentials are made up of your User name and your password.


Password Complexity

Have reasonably long passwords with a mix of letters, numbers and special characters such as brackets and percent signs etc. Do not use P@ssw0rd or November2016 or similar. These would be in the brute force list when hacking Bots attempt to log into your website. Do not use combinations of your children's names and birth dates, as this information could be in the public domain, hackers scrape information from Facebook and other sources and can target you with fake emails that look very genuine.



Keep credentials secret and not written down. Using password management software on your computer or mobile device can be an option to store credentials, but use a very complex and unique master password.


User Name

When setting up a website CMS, always add a new "super-user" account that has full access but with a name not easily guessed. After testing, delete or deactivate the common Admin or Administrator name. This gives a slightly enhanced layer of security over any brute force attack on the login page of your website because a bad Bot will probably use the common login names in a brute force login attack. These Bots are automated applications that can target large numbers of websites in a short period of time.


These Bots will try many times with different password guesses, then attempt again hours later. This can occur for weeks or months and can be detected by looking up the "Visitor" logs and searching for any records that access the "administration" directory (folder) and getting a "403 Forbidden" error if you have created an IP filter to the directory, or a general access fail due to incorrect password.  You might see records in the visitor log where it is attempting to access "wp-login" and you have a Joomla site, obviously some-one attempting to look for and hack into any WordPress site. The IP address of the hacker is recorded in your Web Server log files. You can block the IP address, but often the hacker would use different IP addresses over time. If the IP address is not your external IP address in the log record for accessing the Administration directory, then you can trace it using an IP Address Lookup website.



Do not use the same credentials for all logins and never use these same credentials for other means such as your smart devices, personal email accounts, on-line banking, work computer, home computer etc. Many people make the mistake of using the same credentials everywhere which then allows a hacker to compromise your entire digital world if just one source is hacked.
You may possibly have three sets of credentials for managing your website. One for the CMS to create content on your website, another for the Hosting account, and one more for the Hosting Contol Panel. Dont use the same credentials.


Anti-Bot Technique

Use the ReCaptcha  "I'm Not A Robot" add-on to your website. These and similar Captcha are  available as an Add-On or could be included in the core applications of the Web CMS you have chosen. The Google ReCaptcha can be added to website code for blocking Bots.



Two Factor Authentication

Using 2FA as an extra credential for accessing a website is a very powerful method of preventing hacking. If your normal credentials are compromised, the hacker still cannot access the website unless they also have access to your mobile cell device. The Google 2FA works well and there are many other available Two Factor Authentication systems available.


Add a 2FA module Add-On extension to your CMS. This will then have an extra field added to the login called a secret key. The Google 2FA Authenticator also needs to be installed on your mobile cell device, available for Android or Apple  devices.


The Authenticator app on your mobile cell device changes the secret key random number every 60 seconds. You simply enter that key into the "secret key" field on the website login screen within the allocated time. Your website 2FA application will also check with Google and verify that key. Your account with Google produces unique secret keys and nobody else has access.


Please note;  the app relies on your mobile device and Google 2FA to have synchronized time else you get an invalid key message when logging into your website. The App has a menu item to perform this synchronization. Important;  you will be given a set of long key pass-codes to store away safely somewhere in the event you do not have your 2FA mobile device available. Do not ignore this list when you sign up and install 2FA. They are "one time use only keys". Keep the list in a secure location.


This security method can be applied to the back-end administration of your Web CMS and also to the front-end for visitors that have accounts if your Web CMS has this functionality.



Web Server Security

There are measures that can be taken to "harden" the Web Server security. The examples below applies to Linux type web servers using cPanel to access components.


IP filtering

Warning: this method edits one of the web servers critical files and if not done correctly can cause consequences or halt the website completely. Do not proceed if you are not confident and competent. You can copy and paste the code below.


Denying access to the back-end administration of your web CMS to all computers and other devices not on your network can be a powerful method of securing your website.

Firstly, Google "what is my IP" to obtain the external IP address of your network. Your network would typically be all computers plugged into your modem/router.

Log into your cPanel or other control panel or use FTP access to your Web Server files using an FTP client such as FileZilla.

Create a copy of the .htaccess file in the "administration" folder/directory that applies to your Web CMS if it exists.

Edit or create the   .htaccess   file in the "administration" folder/directory that applies to your Web CMS using the File Manager or whatever file editor is available.

Scroll down to the bottom of the page and add the following code and substituting the dummy IP address of 123.456.789.00  with your external IP address.

You can add multiple  allow from  lines for all networks requiring access. An example would be that you use other computers from other locations for administration work.

Save the file and ensure  .htaccess   has permissions of  0644  (644) so that it is secure. Right click over the file to change the permissions if required, and double check !!

<Files "*">
order deny,allow
deny from all
allow from 123.456.789.00

If your modem/router is ever rebooted or loses power and turns on again later, then it may possibly have a different external IP address. If this occurs than you will be blocked from logging into the "administration" directory until you modify the same  .htaccess  file and correct the allowed IP address. If your Internet provider has allocated a static external IP address for your modem/router (usually to a business) then it would always be the same.


Setting Permissions

Using the cPanel File manager, highlight the  .htaccess  file and then click on the permissions button. permissions button

Change the permissions as shown below to secure the file.

change permissions



The main website directory would also have a .htaccess file which can also have IP filtering and file blocking applied.

Prevent the viewing of the  .htaccess file from all outside sources. Add this script to the end of the .htaccess file from within the main website directory. (not the administration directory)

<Files .htaccess>
 order allow,deny
 deny from all

Prevent the viewing and modification of the configuration.php  file which could be storing usernames and passwords. Ensure the file has  0444  permissions for read only.
(permissions of  644  when website is being developed and not yet live)

<FilesMatch "configuration.php">
Order allow,deny
Deny from all


Block specific IP addresses found to be attempting administration logins. Add this line to the end of the .htaccess file from within the main website directory. (not the administration directory). Replace the IP address 123.456.789.10 with the address of the attempted hacker. You can locate these types of attempts from viewing the Visitors log file in cPanel. Attempts will have the "administration" (or wherever your CMS is located) as the directory name. Ensure its not your IP address you are seeing!!

deny from 123.456.789.10


Any externally writable files (world write permission) on your website can be vulnerable to the PUT and DELETE directives being processed. Block any request by an external source that attempts to "PUT" data for processing by your web server. The "DELETE" can also be blocked. Limiting these calls can prevent a hacker from defacing your website by altering or deleting content.

Order allow,deny
Deny from all



Regularly running the anti-virus scans on the public web space (public_html directory) and the emails need to be performed as a precaution. If any files are infected and subsequently removed, then you will need to replace them with clean files from a backup, ensuring the backup is also clean and the file permissions are set to the original settings.



Regular updating of the CMS and extended software Add-Ons that may have security patches which need to be installed is also a critical procedure. Always research any Add-Ons for your CMS before installing them to ensure they do not have existing security holes. Security holes could be such things as the hacker being able to run scripts directly and being able to upload files to replace existing code.



Do not open suspicious emails from within your mail server and run regular virus scans that also check emails.


SQL injection

SQL injection is a well known exploit used by hackers. "RewriteCond" in the  .htaccess   file can prevent SQL injection. Most database queries in code used by good programmers would be using "Prepared Statements with Parameterized Queries" which is a safe way to read data from a database and prevent the system from being "hacked". Without being able to read code to verify this method is used, then the safe alternative is having a few lines in the  .htaccess  file to block SQL injection. This serves as a precautionary security measure.

If SQL injection were possible then user names and passwords could be exposed, including administration credentials allowing the hacker to have full control of your website.

Firstly, ensure the following line is included at the top of the  .htaccess  file or the  RewriteCond/RewriteRule commands will not work.

RewriteEngine On

Add the following lines of script to the  .htaccess  file in your main web directory.

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]



Ensure Mod_Security is running on your web server if it is available. It is a Web Application Firewall which can automatically block attacks when there is suspicious activity but should not be relied upon as a single source of protection.


https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html#url=yourwebsite.com  can report on your site to determine if it is safe for browsing and no detectable issues. The result should not be taken as proof of of a safe site. Also, if you use a Google Webmaster account it will also report if your site has security issues.


Please note that Mod_Security could potentially block you (or your ISP completely) because you are constantly logging in, uploading data and images etc. If you suspect this has occurred then raise a support ticket with your hosting provider to unblock your ISP IP address. You should include your external IP address (Google "whats my ip") when you submit a support ticket and a "tracert" screenshot or image snippet (see below).


Your web host provider may block all pinging to their web servers, so attempting to run a "ping" command from a command prompt on your PC may fail regardless if the web server is up and running or not.


Ideally you can run a "tracert" command from your PC using a command prompt. This will display every hop from your modem/router, through every Internet gateway to your web server.

C:\tracert  www.mywebsite.com

Also run a "tracert" from other locations in the world to determine if it is just you that is blocked.  http://www.traceroute.org/   provides a world wide list of websites that test from other locations. Select one close to you geographically.




Restoring a backup can be a last resort when critical parts of your website are corrupted and cannot be fixed, important files or databases deleted, or the website has been hacked and databases or program files are compromised. Backups should be performed for your website files which are in the WWW domain directory and all databases. A webserver control panel like cPanel would have backup function where it would download the Home directory to your computer as a compressed file. The database would also need to have a backup downloaded as a compressed file.


Your CMS could also perform a backup of the website and the associated database using a backup system installed as a module extension. One well known backup system is Akeeba.


Block access to backup files that accidently get left on the main web directory and also source files in the main web directory. Add the script below to the end of the  .htaccess   file in your main web directory.
These files may be left by some text/html editors or a misconfigured backup and pose a great security danger. Someone could possibly download and access the contents. This is just a precautionary measure.


<FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
  Order allow,deny
  Deny from all
  Satisfy All



© 2019 Adrian Butterly WebBurble.Com. All Rights Reserved.