You know you shouldn’t keep your bulging wallet in your back pocket, but you still do. For starters, sitting on a fat wallet can ruin your back. But besides that, it just makes you wallet an easy target for thieves to pick it out of your pocket. And there are little worse things than feeling your backside and realizing that your wallet’s gone.
That’s security for you. Security is only as tough as the weakest link and oftentimes that weak link can be caused by you. Now that we live in a highly connected and mobile world, personal security now involves all aspects of our digital lives, as well.
If you have a website, that’s virtual real estate. So if you’re worried about burglaries and invasions to your home, you should also be worried about your website getting breached. Cyberattacks are expected to get worse so it pays to give your online security a good look.
Much like the key to your front door, your administrator access gives you the easiest and widest entry to your website. Allow your administration pages to be breached, and everything on your site is easy pickings. So regardless of what content management system (CMS) you use, it pays to give your admin pages some tougher security. Here are 7 ways to help you secure them.
1 – Use a web application firewall
Attackers often have bots that scan the default admin page URLs of popular CMS like WordPress and Drupal. Deploying Incapsula’s web application firewall (WAF) will allow you to set custom rules on who gets to access your administrator pages. WAF services can also check against known malicious sources and automatically block them. You can even set your WAF to just allow your connection’s IP address to access your administration URLs if you want to be restrictive.
2 – Use a user name other than “admin”
A few years back, popular CMS use “admin” or “administrator” as the default admin user name. The problem with that is hackers then know which user name to attempt to breach in order to gain privileged access to your site. These attackers have databases of the most common passwords that are used and having “admin” as the username just makes brute forcing easier for them.
Today, CMS like WordPress has changed this behavior but many older sites which were set up a few versions back may still be using the default “admin” user name. Do your site a favor and change it.
3 – Use a strong passphrase
Password. Passphrase. What’s the difference? To encourage users to have longer login credentials, security experts recommend using a passphrase since these are longer than the usual password and longer credentials also take longer to crack. “ilovecheeseburgers” is a tougher password to guess than “burger”. Using leet or substituting numbers and symbols for letters helps too e.g. “1L0v3ch33$3burg3r$” since it provides more complex combinations that take hack tools longer to guess.
4 – Use multifactor authentication
Sometimes people just get careless with their credentials. Using the same password across different websites also heightens the risk of compromise. If hackers is able to break into one website, they can readily try and use the same credentials in the other sites.
Multi-factor or two-factor authentication helps combat this by adding a verification step in the login process. An alert or code is sent to a mobile or email associated with the account to check if the attempt is legitimate. So even if an attacker gets hold of the credentials, they still have to pass the verification in order to gain access.
Websites can add this functionality to their admin pages. Google Authenticator has a project that can be integrated to your CMS. Select WAF services like Incapsula also offer multifactor authentication that comes with their service.
5 – Secure your host and database account
Your site’s administrator account isn’t exactly the most powerful account for your website. Rather, it’s the hosting account. Your hosting account has access to all the system files and database used by your site so attackers need not worry about accessing your administrator pages if they can already steal all of your site’s data from the webhost. Use secure credentials for your webhost and make sure that this is different from your admin credentials.
If your CMS administrator and hosting accounts have an email associated with them for password reset options (most do), be sure that email account is secure, as well. You can also disable password recovery for your administrator account.
6 – Limit login attempts
Since most brute force attacks try to guess login credentials continuously through brute force, you can limit a user’s login attempts to your admin pages. For example, a user gets locked out for 1 hour if they make three wrong attempts in logging in. This way, most automated attacks get thwarted. Most popular CMS would have add-ons and plugins that add this functionality.
7 – Use SSL
SSL encrypts data being transmitted between your browser and the server. Without SSL, information can be intercepted. Without encryption, credentials would show up plain as day in cases if an attacker were to intercept the data through unsecure networks (like when using a public WiFi hotspot). With SSL, the data is encrypted so even if the login attempt ever gets intercepted, the information cannot be readily read.
As an added benefit, adding SSL to your website makes it more trustworthy for your users. If you are also concerned about your search engine ranking, Google has started to favor sites that have SSL (HTTPS) enabled so that’s another plus.