How to protect a website using a CMS from hacking

Let's talk about protecting CMS systems. The CMS can be written by you or another team of developers, or it can be well-known and widely used like WordPress or Bitrix.

CMS developers are constantly working to fix vulnerabilities, so choosing a popular system with frequent updates can be a safe option. But it is important to consider that updating a CMS can not only close vulnerabilities, but also expose new security holes.

Hacking a web application using a CMS is a popular goal for hackers. Attackers hack websites to send spam, create articles with redirects to their web applications, use them as storage or file sharing, and steal personal data. So let's talk about ways to protect CM5.

Update your CMS

The update includes work to fix vulnerabilities. Therefore, the main rule of protection is to constantly update the CMS automatically or manually.

Other ways to improve security are also important, but with an outdated version of the system they will not be as effective.

Update themes and plugins

The update advice also applies to CMS plugins and themes: they are installed in the server file system, and therefore can embed their own javascript code on the site - this is the danger.

Be sure to keep plugins and themes up to date. Disable those you haven't used for a long time, or update them - they may contain vulnerabilities known to hackers. Before updating, always create a backup copy of your site and database, and after updating, check their operation.

Fewer plugins

Every plugin can become a threat if it is poorly written or contains vulnerabilities. So limit the number of active plugins and remove those you don't use. This will not only increase the level of protection, but also speed up the site.

Hide CMS data

A good way to protect yourself is to change the default admin login address. For example, in WordPress the address looks like example.com/wp-admin. It can be changed to any other: example.com/narnia, example.com/door, example.com/platform34. The main thing is to make the URL more unique and suitable for you. It is better not to use the standard example.com/admin example.com/administrator - there are ways to search for addresses, and such URLs are easy to find. It is also worth hiding information about the CMS version - they provide information about already known vulnerabilities of the version.

Use a reliable hosting company

Many successful attacks on CMS occur due to insufficient server-side security. So use
a reliable hosting provider that keeps security up to date. When choosing hosting providers, read their blogs, ask technical support questions, look at ratings and reviews, and look for news about incidents related to a particular provider.

Improve your login information

Do not use the username admin and administrator - these are standard names for the main administrator account. Hackers try to crack such names first - and often quite successfully.
If you already have an account named admin or administrator , create a new user with full administrator rights and a more secure username. Then login as that user and delete the old one
account.

Create a secure password

All previous methods of protection are meaningless if some user has a password of 123456, password or qawsedrf. If this is your case, change the password to a more reliable one - you can use the Strong Password Generatc service for this. And do not forget to change the password from time to time.

There are also CMS plugins to encourage site users to create a secure login password.

Back up regularly

When a site gets hacked, you'll be in a much better position if you have a backup. It can be created using
various services and plugins. Additionally, you may want to look into the backup methods your
hosting provider. For example, many offer daily backups.

Limit the number of login attempts

Limit the number of login attempts - this will protect you from automatic password guessing. There are also various
plugins that monitor unsuccessful login attempts by IP and, if necessary, prohibit further password guessing

Choose your own table prefix

CMS use their own prefixes for tables. For example, the default prefix in WordPress is wp_ If you only
getting ready to install a CMS, change the prefix to something that's hard to guess.
If the CMS is already installed, the prefix cannot be changed: otherwise you will lose access to the database.

Set correct file permissions

Choose the correct permissions for files on the server to avoid unauthorized downloads or modifications
files. Permissions can be changed using an FTP client such as FileZilla or a plugin similar to
functionality, for example, All in ONE WP Security & Firewall for WordPress. The permission values ​​should be like this:

Block access to the configuration file

For example, in WordPress this is the file wp-config.php

Bottom line

There are many ways to protect a website. We recommend starting by updating your CMS, plugins and themes to the latest version,
as well as checking plugins for accuracy.