5. List of the most popular passwords in the Internet according to splashdata.com
6. Secure Password
Example password Easy to remember? Hard to guess?
123456 YES NO
VVW^kv7xEUk5fd&GV1uA#R NO YES
Better to be safe than sorry!!! YES YES
7. Two Factor Authentication
Two Factor Authentication is an extra layer of security that requires not only a
password and username but also something that only user has on them - such
as a physical token.
WordPress: plugins available such as Rublon or Two-Factor Authentication
Plugin
Joomla: build-in support for Google Authenticator and YubiKey
8. Other precautions
Introduce basic authentication on HTTP
Limit backend access to certain IP
Require HTTPS/HSTS connection
Manage multiple passwords using a password manager (LastPass,
OnePassword)
10. Web Application Firewall
Web Application Firewall protects website against the vast majority of common
attacks.
WordPress: Sucuri, CloudFlare
Joomla: Admin Tools, Sucuri, RS Firewall
11. Malware Scanner
Malware scanner is a tool that check website files against a known list of
malwares and alerts you on any modifications.
WordPress: Sucuri, iThemes Security
Joomla: Admin Tools, Sucuri
12. Once website security is
compromised every installed
security software can be
compromised as well.
14. Backup frequency
Backup is a complete copy of a website including code, images (and other
media files) and database that can be used for restoration at any time.
Every website should be backed up regularly. Recommended backup
frequency depends on frequency of changes on a website. In most cases it’s
something between 1 and 30 days.
15. Backup storage
Backup stored on the same server is not a backup.
If a website is hacked, backups can be hacked/deleted/encrypted as well.
If a website is lost due to server malfunction, backups are lost as well.
In Perfect Dashboard we recommend to store backups either in our cloud, on
AWS or on any other external disk space.
16. Backup integrity
You don’t have a backup unless it can be used for restoration.
According to Perfect Dashboard statistics 1 out of 10 backups fails integrity
testing. The most popular reasons are:
error while creating backup archives
error while copying backup archives over the Internet
Here’s how we do integrity testing in Perfect Dashboard.
18. Every extension or theme
is a potential backdoor
Thousands of security bugs are discovered in extensions & themes every year.
This covers both free & commercial versions (sometimes very popular ones).
That’s why you need to be always ready for updates.
Check if developer use default updater to inform about security releases.
Check if developer require additional payment for accessing updates.
19. Source matters
Even a trusted extension from untrusted source is a potential security threat.
4 years ago we have discovered that our Perfect Contact Form distributed on
torrents had a malware injected into the code. So even the extension itself
never had any security issues, those users got hacked. Full story:
https://www.perfect-web.co/blog/67-perfect-ajax-popup-contact-form-free-
download-torrent-virus
Replace extensions / themes from untrusted source with secure ones.
20. Get rid of unused extensions & themes
No matter you use them or not they are still a potential security threat.
That’s why removing such extensions & themes is beneficial. Not to mention it
also may increase performance of a website and decrease a backup size.
WordPress: Remove all unused Themes, Plugins & Widgets
Joomla: Remove all unused Components, Modules (not the instances), Plugins
& Templates
22. What needs to be updated
Server software (often even on shared hosting)
Apache / NGINX
PHP (5.5 or higher)
MySQL (5.5 or higher)
CMS
Extensions / Themes
23. Course of conduct
1. Find out that there is an update required
2. Back up
3. Verify backup integrity
4. Download update files (optionally)
5. Update
6. Test website after the update
7. Fix errors after the update (optionally)
1. Use Perfect Dashboard
2. Fix errors after the update (optionally)