How to Clean a Hacked Joomla Site

If your website host or browser has blocked your Joomla! website – it means that your website could contain malware. You must utilize a Joomla! malware removal tool to scan your website and get rid of the malware.

Hosts will suspend accounts/websites containing malware. Browsers will block websites-including Joomla! websites – that contain malware, and display warnings such as: “The Website Ahead Contains Malware!” or “Deceptive Site Ahead.”

While this warning confirms malware infection, there are a number of indicators that could help you ascertain whether your site has been hacked.

  • Browsers display a malware infection warning and block access to your website
  • Your website host suspends your website citing malicious activity
  • New users (with malicious intent) have penetrated your account and their logins are displayed on the dashboard
  • Browsers display unexpected behavior on your website
  • Hackers have modified code or impregnated code into your website

Scan Your Joomla! webpage with a Joomla! malware Scanner

Scan your URL using Comodo’s Web Inspector tool – an online website malware scan and malware removal tool that allows you to quickly confirm if your Joomla! webpage contains malware.

This cloud-based Joomla! malware removal tool scans the website for possible virus and malware infection, detects security holes and vulnerabilities, and safeguards the website against advanced persistent security threats. The Web Inspector also monitors for website blacklisting and immediately warns the website owner before the website gets blacklisted.

Browser Blacklist Status – Browsers maintain a database of blacklisted websites, and they provide tools to check the status of your website. Google provides the status of your website as part of a “Transparency Report”.

After scanning your URL, check for recent modifications in core files. If malware has been injected recently, you should compare and find out any difference between earlier stable versions and the infected recent version. Cyber security experts recommend a comparison of suspicious and stable (good) files as one of the best ways to confirm malware infection. If you detect malware, then restoring with a clean backup would be the best bet.

Check for unauthorized users in your Joomla! account. Hackers could have inserted their name in the list. Analyze the logs for unusual/suspicious user activity.

If you confirm malware infection then you must clean the database tables by logging into an admin panel, searching for suspicious content and removing it manually.

Hackers typically impregnate a backdoor into the website so that they would be able to inject malware or steal data any time they need. Intelliget hackers name their backdoors something similar to existing files so as to evade detection. These backdoors must be rooted out through file comparison and Joomla! malware removal tools.

Review by Web Spam Authorities

After getting rid of malware on your website, and confirming with a Joomla! malware scanner, you must ask the authorities who have blacklisted your website to review. They will remove your website from the blacklist following successful review.

Preventive Measures

  • Update the Joomla! software and all its components including core files and extensions.
  • Reduce accounts with super-administrator and admin privileges. Allow privileges only on a need basis and be very strict about it. Reset the passwords of all users. Make it mandatory for users to follow a strong password policy. Further, enable two-factor-authentication (2FA) for more security.
  • Implement a website firewall to prevent any further website infection. This can help block DDoS attacks and Brute Force attacks.
  • Implement a robust backup and restoration policy in line with the best practices in the industry.
  • Manual monitoring for suspicious activity is not effective. Use a Joomla! malware removal tool such as Comodo cWatch Web Security Service that provides comprehensive web application security to proactively detect threats that could infect your Joomla! website.

How To Remove Malware From Your WordPress Site

WordPress sites are at risk of being attacked and infected by malware at any given time. More than 74 million sites are powered by WordPress. Because all are connected to the same Content Management System, there is a high chance of websites being vulnerable to attack.

To determine if you site has been infected with malware and to clean it up and fix the damage, follow these simple steps:

While this warning confirms malware infection, there are a number of indicators that could help you ascertain whether your site has been hacked.

  • Browsers display a malware infection warning and block access to your website
  • Your website host suspends your website citing malicious activity
  • New users (with malicious intent) have penetrated your account and their logins are displayed on the dashboard
  • Browsers display unexpected behavior on your website
  • Hackers have modified code or impregnated code into your website

1. Scan Your Website

Run a website malware scan to determine whether or not your site is really infected, and by what. A number of website malware scans are available online, including the cWatch scan by Comodo.

2. Change your cPanel and FTP Password

Once you are sure that virus scanning of the system is done, ensure that you change your FTP and cPanel passwords. Make the password complex, with a combination of numbers, lowercase and uppercase letters and special characters.

3. Download WordPress

Be sure to to download WordPress from the WordPress site itself.

4. Extract Files from Zip

Extract the files from zip once you download the WordPress package on your system.

5. Remove the WordPress Malware infection

Login to your cPanel > File Manager

The WordPress Installation Files will look like

  • wp-admin
  • wp-content
  • wp-includes
  • index.php
  • license.txt
  • readme.html
  • wp-activate.php
  • wp-blog-header.php
  • wp-comments-post.php
  • wp-config.php
  • wp-config-sample.php
  • wp-cron.php
  • wp-links-opml.php
  • wp-load.php
  • wp-login.php
  • wp-mail.php
  • wp-settings.php
  • wp-signup.php
  • wp-trackback.php
  • xmlrpc.php

Retain wp-config.php file and wp-content folder and remove the other files and folders so the installation looks like:

  • wp-content
  • wp-config.php

Edit the wp-config.php file in your cPanel > File Manager. Check for unknown and vulnerable codes.

Wp-content folder should be like this:

  • plugins
  • themes
  • uploads
  • index.php

Remove the plugins folder and index.php. Once the cleaning process is completed the plugins can be reinstalled.

WordPress Malware Scan Plugins

There are many security plugins associated with the WordPress site that runs inside to scan the files and databases of the website for malware. The plugin scans are more effective than the remote scans. It is critical to delete the plugins when it is not in use as it extracts and uses a lot of resources and therefore slows down the site performance.

Website security is quite challenging and if you are clueless on how to secure websites, get cWatch to enjoy FREE WEBSITE MALWARE REMOVAL. With cWatch, website security experts are available 24/7 to address website malware issues. It also guarantees robust malware scans and complete malware removal.

Better late than never, Enrol for cWatch and get connected to our WordPress Security Experts. Sign Up Today!

6. Upload the WordPress Again

The WordPress files which were extracted can be now uploaded through FTP.

7. Consider changing WordPress Admin Password and Re-install Plugins

The dashboard will be available to access now. Consider changing the admin password with a combination of characters, letters and numbers.

8. Get the Google warning alert removed

Once your site is malware free, submit a request to Google and get the warning message “This site may harm your computer”removed from your site.

Install cWatch and protect your website – Install Comodo cWatch which uses a Security-as-a-Service (SaaS) model to secure and monitor your website against malware attacks. Protect your website and customers with Security Information and Event Management through real-time security monitoring, advanced threat detection and incident management. It also provides DdoS, addresses malware attacks and automates the malware removal process.

1 Million Threats vs The Best Malware Removal Tool

One million is the number of malware threats released every day, according to CNN. Unless you live in a cave or you’re lost at sea, you probably spend a lot of time online. Yes, you know about viruses and you have an antivirus program. So, you’re protected, right? Probably not

The threat landscape isn’t just about viruses anymore. There are new enemies in town, and they’re bigger and badder than ever before. Worse, many threats are designed to sneak by firewalls. A whopping 50 percent of the 1 million threats released daily can bypass most web application firewalls.

Malware is bad software-plain and simple. It is written with the intent of doing harm to data, devices or people. It comes in many forms, but one thing’s for sure-you don’t want it damaging your website and your business. It’s used by cybercriminals to steal passwords, money and even you or your customers’ personal identity. Imagine 500,000 threats are looking for a loophole everyday. Does your website stand a chance?

We have to admit, it’s risky to run a website. But nowadays, owning and operating a website is essential for doing business. So, choosing the Best Malware Removal Tool is your best defense. You need something that can act like a weapon arsenal. Hence, your Malware Removal Tool should be able to do these:

1. It should be able to continuously monitor your website and immediate alerts you in the event of a security incident.

2. It should be able to direct you to the main cause and helps remediate the cause, hardening your websites to prevent future attacks.

3. It should be able to protect your website from malicious actors.

4. It should have a 24/7 security monitoring by certified security experts using state-of-the-art technology that helps you respond to incidents.

Surf the web without fear.

How Well-Informed are You about PCI Scanning?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements created to guarantee that all companies that require and utilize credit card information maintain a secure environment.

Launched on September 7, 2006, the Payment Card Industry Security Standards Council (PCI SSC) manages the continuous development of Payment Card Industry (PCI) security standards with the focus on enhancing payment account security in every part of the transaction process. The PCIDSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB).

Remember, the payment brands and acquirers are accountable for enforcing compliance, not the PCI council.

Do You Conduct PCI Scans Regularly?

If you’re not having regular scans, your business may be out of PCI compliance and you may experience a data security breach. A breach means that someone has compromised your system and gotten a hold on of your customer data. You can lose a ton of money – or worse – your whole business.

Penalties and Fines

The penalties for a breach when you’re not PCI compliant can range from a slap on the wrist to significant fines. Issuing banks and credit card processors can be fined up to $500,000 for regulatory compliance violations. These costs are inevitably passed on to you, the merchant.

Noncompliance Damage

Merchants who lose their accounts are placed in the Visa/MasterCard Terminated Merchant File and are ineligible for another merchant account for several years. It irredeemably destroys your credibility, customer loyalty and, ultimately, your entire business. The results are devastating.

How Can You Stay Compliant?

Ensure PCI compliance with a web security service that satisfies most compliance mandates immediately. With Comodo cWatch, you get a secure environment for your site and extensive sets of reports that are required by compliance authorities.

Best Website Security Software

The best website security software can be defined as an application that can keep your websites, web servers and web applications safe, and protects them from hacks and malware. It must provide proactive protection and block threat actors and malicious attempts before they compromise your website, web servers, and applications.

In the recent times, website malware attacks have witnessed a sharp rise and have drawn the huge attention of online users. Malware is the general term for several variants, and almost all malware variants are used for malicious activities by hackers. The website scanning can check a website for malware and reveal the hidden malware.

Usually, malware infects website, web servers, and application through phishing emails, malicious online advertising that contains malware payload, and software downloads from untrusted sources.

A simple search reveals the availability of hundreds of “malware scanning” tools. And many of them charge a hefty amount for malware removal. But “removal” is not a permanent solution. Your website can still get hacked and affected by malware. The infected website can bring a whole department or the entire organization to a grinding halt.

So, what is the solution? The solution is ensuring protection with Website Security Software. And antivirus solutions are not the right solution to protect your website.

What should a Website Security Software have?

You must first know the detrimental effects of malware affecting your website. This would help you select the best website security software to protect your website.

  • Websites affected by malware will get blacklisted
  • Your hosting provider will shut down your website
  • Search engines will display warnings about your website
  • Browsers will display warnings about your website, and prevent users from accessing your website
  • Malware will drastically slow down your website
  • Visitors to your website will be redirected to other websites (malicious)
  • Your website will succumb to DDoS attacks
  • Your website will be used for DDoS attacks as part of a bot network

Check for these Features in the Best Website Security Software

  • The website security software must have the capability to proactively block ANY type of attack on your website
  • It must regularly scan for malware and vulnerabilities
  • It must continuously monitor the website and alert any security issues
  • It must stop all hack attacks and prevent the exploit of vulnerabilities
  • It must prevent malware penetration
  • Don’t Forget The Passwords!
  • It must thwart DDoS attacks and brute force attacks
  • It must be capable of detecting zero-day vulnerabilities
  • It must check for possible blacklisting symptoms and warn you – the website owner/webmaster before the website gets blacklisted
  • It must include a Web Application Firewall (WAF) at all web servers to detect and filter embedded malicious website code
  • It must be able to block or mitigate the effects of various types of attacks such as HTTP Flood, User Data Protocol, Simple Service Discovery Protocol and Domain Name Server Denial of Service Attacks
  • Faster content delivery and enhanced website security through a “caching” content delivery network. Ironically, most website software provides only non-caching content delivery, which could be considered as a namesake feature that contributes nothing towards enhancing website security or optimizing website performance.
  • If you are an online merchant who has to handle credit cards online, then the software must ensure a simple and automated way for continued compliance with the required PCI DSS standards.

Self-Managed vs. Managed Website Security Software

If you have a single website or a dedicated IT cyber security team then you may be able to manage the security of your website with robust website security software having features as mentioned above. However, practically IT personnel are an overworked lot. They have plenty of routine tasks to monitor and the affordability and retention of certified and skilled cybersecurity personnel may not be viable for small and medium organizations.

Benefits Of Managed Website Security Services/Managed Security Service (MSS)

Some factors that make Managed Security Service (MSS) very attractive include:

#Server Maintenance

The service provider ensures that your web servers are working properly and there are no technical glitches that might cause your website to crash.

#Updates

With Managed Security Service (MSS) the user does not need to bother about updating software or hardware to keep their website, web servers, and applications working.

#System Monitoring

This is a vital maintenance aspect whereby the service provider closely monitors traffic spikes to ensure that the website does not crash at peak times.

#Data protection

The files are backed up on a routine basis and constantly checked for vulnerabilities. In an unanticipated situation, no data would be lost and could be restored quickly. The backups are regularly done for the web servers and applications to support rapid restoration if necessary.

#Security

The Managed Security Service (MSS)  examines weak points on the website, web servers, and applications for malware, spyware, and suspicious traffic patterns. This ensures safety from malicious infections and keeps you aware of what type of traffic is going onto your website.

You could then consider the option of a Managed Security Service (MSS) provider who provides Security-as-a-Service. They would provide round-the-clock security and have a dedicated team of specialized cybersecurity professionals to protect your website. Considering the pros and cons you may find that opting for an MSS is more cost-effective in enabling better security than maintaining a dedicated security team.

The website security software must keep your website safe, and thwart all hacks and malware attacks!

Secure your E-commerce Website

E-commerce website owners have started to feel the heat, because as the holiday season starts, they will see a huge surge in traffic as people will start their shopping. The increase in traffic makes e-commerce businesses and their customers appealing targets for cybercriminals.

Their modus operandi is:

  • POS Credit Card Swipers
  • Diverting Payment Gateways
  • Infecting Malware Downloads

Credit card fraud is not a new threat for e-commerce shoppers, but card owners often have no knowledge of how hackers use their personal information to make money. E-commerce owners cannot ignore the fact that hackers are out there watching your activities, and the next target can be you. Needless to say, you are putting your website and business at risk by your not adhering to security best practices and being PCI compliant.

Point of Sale Credit Card processing

When a card is swiped on through a reader, a code diverts the details of the card to the hackers, who have already injected malware into the checkout process in the machine.

The attackers inject the swiping machines with malware after having read the vulnerabilities on the website. Most attackers are well informed and have done their homework thoroughly. They create a backdoor entry to the website, and the owner fails to realize there is anything wrong. The hackers will not deface the website home page, but keep a loop planted there to track activity. As data is fed in it, it also goes into the hands of the hacker.

Dubious Payment Gateway

As mentioned above, hackers are smart, and they know how a process works. So no matter how good or reputed a payment gateway is, hackers will find a way to compromise it. The hacker can clone the website payment gateway page, so that users will not notice a difference between the hacker’s page and the original website. The shopper will end up sending the payment on the dubious gateway, and interestingly the inventory of the e-commerce website will mark the sales.

This is where PCI compliance is so crucial for e-commerce sites. Traditionally speaking, E-commerce website should opt for a strong firewall. So when hackers try to gain access to your site, they will be blocked and not able to make any changes.

Virus or Malware Downloads

Malware attacks are not e-commerce specific, they attack every individual and business, but for the e-commerce website, a malware infection can be devastating, particularly during the shopping season. Hackers are one step ahead, just in case they manage to gain access to an e-commerce website, they will place malicious codes that will infect visitors’ computers. So when the buyer is shopping he will get malware with each click.

Today, Google and antivirus companies can easily detect if there is any malicious code running in the background of a website. If malicious code is found, the website will be blacklisted. Users will receive warnings when they visit the e-commerce website. Citing poor traffic, the owners will be forced to look at their website to determine the next step.

How to Secure E-commerce Sites

Hackers are often one step ahead of business owners, and they keep evolving their strategy to evade detection. As always, the common factor that allows the hackers to compromise websites is vulnerabilities. These vulnerabilities can be a poor third party CMS or an outdated patch, so make sure you have filled those gaps on your website.

Scan your website for any vulnerabilities or any sign of compromise, but be aware that hacks are not visible in the source code. These files are intended to target your customers, and it is more likely to be hidden in the website database. The best way to keep yourself safe is to opt for cloud-based security with deep detection to protect you from all potential risk.

Five Ways to Avoid Getting Hacked This Holiday Season

With the holiday season around the corner; it’s good to prepare for holiday sales with proper website security.

An attack that’s targeted at your e-commerce website could cost you dearly. Just check the recent history of data breaches to get a clear picture of how such attacks could impact you. In this day and age, e-commerce website security is of utmost importance, especially because hackers are always on the lookout for vulnerable networks and websites to attack and steal data from.

Network security is important, but equally important for e-commerce businesses is website security. So, what should you do to ensure proper website security and web application security?

Here’s a look at how businesses can protect their website from getting hacked. Five simple tips that could mean a lot in regards to website security.

1)Have a strategy in place with a proper incident response plan

It’s always good to have a strategy in place for website security. Security experts could help form a clear, concrete security strategy. There could be costs involved, but you must remember that data breaches could cost you much more. Data breaches could even wipe out entire businesses. Similarly, it’s always best to have an incident response plan. Security incidents could happen anywhere and to anyone. All businesses, big or small, should have a proper incident response plan which would help them act immediately whenever a security incident happens, and take the necessary steps to recover data.

2)Protect your data, protect your web applications

Protecting the data on a business website and web application should be a top priority. Remember, a website is the most visible and most vulnerable part of any business. Lots of data get transmitted through a business website, including sensitive personal data of customers. Similarly, data is created, modified and stored in web applications. Hence, hackers tend to target vulnerable websites and web applications.

3)Update software regularly

Updating software is an integral part of website security. Any business that’s concerned with website security has to ensure that all plugins, themes, platform installations etc. are updated and are in their latest versions. While using third-party software on websites, make it a point to run updates and apply security patches.

4)Train and educate every employee

Every single employee in a business organization needs to be trained and educated in security practices. Instances of non-malicious employees causing data breaches by committing simple, silly mistakes are many. Such mistakes, though unintentional, could cause grave consequences to an organization and to thousands of customers. Therefore, it’s always good to educate and train employees on different aspects of security.

5)Test your security regularly

So, you have have a security policy in place, and you have all the security software installed. Still, you need to take time to test your security on a regular basis. A penetration test helps assess the security of your IT infrastructure and your website, and helps identify any gaps in security.

Comodo cWatch is one of the best options for web application security and e-commerce website security. Use cWatch Web to clean up malware in your site, prevent future malware infections, and shut down hacking attacks.

Check Your Website Security Before Its Too Late!

You’ve probably tried to visit a website before, only to find that your browser has blocked the site because one or more of its webpages contains malware. But how about the website owners? Do they realize that their site is infected? Shouldn’t they have noticed before your browser did? The answer is “yes.” Follow these steps to make sure your site is secured:

Check Out Google

There’s a way to validate your suspicion if your website does have malware or other issues. Google has a website for diagnosing unsecured websites. Please use http://www.google.com/safebrowsing/diagnostic?site=[SITE NAME]. Remember to change the [SITE NAME] into your site address. You’ll see a quick report on your website’s condition there. Though, Google won’t show you what kind of malware attacked you.

Stronger Password Combinations

When Google gives you a report and it has malware on it, you need to change all of your passwords. Use a stronger password combination this time. Avoid reusing passwords for different accounts.

The Hidden Danger

Even new hackers will use a certain attribute to display malicious links. The display=none attribute will prevent visitors and site owners from finding the intruder links. Nobody searches for how to eradicate malware until they have undeniable evidence. The average person might not notice malicious links right away, but search engine bots can. You can be deranked from search engines like Google if such links are found. It is easy to find the unwanted links, but you need to look very carefully for them. Here is what you should do:

  • Open your source code on a web browser. (Most browsers let you go to the Page Source under the View menu.)
  • Check for the and tags for strange links.
  • Look for links next to the “display=none” attribute.

If you know your code, then you will quickly identify the links that should not be there. If this is the first time you are looking at it, the malicious code will usually lead to porn or gambling websites. You can check the links you found or if they are obvious, just block them.

These steps will lessen or protect you from new attacks. Yet there might be security holes left on your website. Check if you have the most recent updates and look in a couple of days if your code is free of unwanted links. Allot another week for check ups again before you can finally say it’s a closed case.

Further Measures to Take

Having another software to protect your website can give you immense benefits. Not only can it avoid damages, it also lessens the stress of a website security. To secure all of your digital assets, you can use Comodo Cwatch.

Comodo cWatch a Managed Security Service for websites and applications that combines a Web Application Firewall (WAF)provisioned over a Secure Content Delivery Network (CDN). It is a fully managed solution from a 24/7 staffed Cyber Security Operation Center (CSOC) of certified security analysts and is powered by a Security Information and Event Management (SIEM) center that leverages data from over 85 million endpoints to detect and mitigate threats before they occur. Its other features are Security Monitoring, Web Application Firewall, Malware Removal, and PCI Scanning.

What is Website Security?

Website security is critical component to protect and secure websites and servers. Websites are scanned for any possible vulnerabilities and malware through website security software. This software can scan for backdoor hacks, redirect hacks, Trojans, and many other threats. A website security software notifies the user if the website has any issue and provides solutions to address them.

Enterprise Networks are always at high risk of vulnerability and ensuring website security is vital.If the Network gets compromised, the server and the website get compromised as well – this would let the malware infiltrate through the enterprise network and introduce malware activities

Features of a good Website Security Plan

  • Malware scan
  • Malware removal
  • Manual malware and hack removal
  • File change monitoring
  • Blacklist/spam monitoring
  • Blacklist removal
  • Security monitoring
  • Advanced DDoS mitigation
  • Web Application Firewall (WAF)
  • Content Delivery Network (CDN)
  • Site Seal

Website Security Issues

Your website handles customers’ personal sensitive data like the bank credentials, social security numbers and other vital information like credit card details. There are a lot of website security issue that might occur in a myriad ways:

Website Source Code

When the website code is not well developed there are a lot of security issues. If your web server and web apps are complex to manage – weaknesses, bugs and security flaws are a sure thing. The more dynamic the site, the more possibilities of bugs and security holes.

Website Visitor Access

There are websites that creates a space for visitor interaction, much like a chat room or any other option to make it visitor-friendly. Nevertheless, this brings a higher chance of the website being vulnerable. When there is an avenue through which the visitors are allowed to access corporate resources, it becomes more complex to identify and distinguish between the genuine and malware-intended visitors. So restricting or stopping the unauthorized bad guys is a challenge.

Website Security Software

Website Security Software equips the website for protection against cyber attacks. Website security service works by implementing the managed Security as a Service Model. These software are used by vendors to provide Website Security Service, usually as a managed Security-as-a-Service (SaaS) model.

Malware doesn’t differentiate

Malware is not biased. Security attacks are automated and all websites are prone to attack. There is no specific target on the websites. Website Security builds website reputation and customer trust. This ensures that the website is malware proof and the customers’ data are well protected.

Website Security Attacks are becoming more sophisticated

Hackers find new and innovative ways to attack a website. Malware is designed and developed to identify vulnerable websites. The intension of such malicious activities are distinct: while the purpose of some malicious attacks are to steal the data, some are to extend malicious activity for longer term.

Better performance

Website security software improves the overall website load time. The Content Delivery Network stores the website content on multiple servers available globally.

Consistent scanning and Instant Malware removal

Website security assures regular, thorough, in depth website scanning at a server level.

Advanced security monitoring

It is not just about the infecting the website. The Website Security oversees corresponding (DNS, SSL, WHOIS) to ensure that the customers or the visitors are not redirected to malicious website and secures the customers from sharing the private information.

Absolute Malware prevention

It obstructs malware even before it tries to infect the website. Website Security system uses Web Application Firewall (WAF) to check and verify all the incoming data and assures to filter out the malicious code, even before it tries to impose an attack.

Tips to Improve Your Website Security

If you have a website you must ensure that it is secure. You would be following certain practices and you may have a website security software to protect your website from malware and hackers. This blog will guide you through the best practices in website security. While there are plenty of guides, this article will provide a comprehensive view on tips to improve your website security.

Software Update – You would probably be updating your software, however, you must ensure regular and prompt updates for the server operating system, the applications, and the website security software. Though performing updates for your webserver requires time and resources (including testing) it must be regularly performed. Unpatched software is exploited by hackers through zero-day exploits. Most websites get compromised due to unpatched or outdated software. If you use Content Management Systems such as the WordPress, you must ensure that you immediately update your CMS as they become available. You must make use of automated alerts about update availability, as it may not be possible to regularly check for the availability of updates manually. According to best practices in website security, you should use a patch management system.

Separate Database Server – Experts recommend maintaining separate web servers and database servers for better website security. Though the cost may be prohibitive for small organizations, it does make sense when you have to handle customer credentials and other data.

Avoid Hosting Multiple Websites on a Single Server – You can host multiple websites on a single server. Though it saves you considerable capital investment, web security experts do not recommend this practice. A server with a single content management system (CMS) such as WordPress or Joomla will provide a single theme and a couple of plugins that can be targeted. However, multiple websites translate into multiple CMS and plugins that can be targeted. A successful breach of a single website may allow the infection to spread to other websites hosted on the same server.

Password Policy – Define a strong password policy and assert the importance of policy adherence to all users. Recommend a minimum of 14 character length passwords, with a mix of alphabets, numerals and special characters. Do not use dictionary words or personally relatable information such as date of birth, phone numbers or vehicle numbers. If system permits use pass-phrases. Do not reuse passwords. Password managers are useful, however, there is a mixed verdict regarding its security. Change ALL default passwords, and do not share them.

User Access Control – According to best practices in website security be stringent about providing access and permissions. Provide access and the necessary permissions only when absolutely required. Monitor user activity and logs for rogue behavior. Always use separate user accounts as it would allow you to track activity.

Backup Policy – Ensure regular backups to a different location – preferably the cloud. Do not store the backup on the same webserver. Data stored in the digital form is at risk and could be lost. Backup data will help restore uncorrupted data in case of malware infection.

CMS Solution Management – Most users continue to use the default settings and passwords due to convenience. However, this is a vulnerability. Automated attacks try to exploit default settings and passwords.

CMSs offer numerous extensions, add-ons, and plug-ins. Some are third-party offerings, and some are paid or free. Extensions make work easier, however, always use extensions that are absolutely necessary and download them only from legitimate sources.

SSL for eCommerce Website – An SSL certificate will encrypt communication, secure sensitive information shared by website visitors, prevent Man-in-the-Middle attacks, and showcase the authenticity of your website. And if you are an eCom merchant you need it for PCI compliance.

Configuration File Security – Typically there are three types of webservers – Apache, Nginx and Microsoft IIS servers. You must know the implications of the rules set in the webserver configuration files. You must protect the webserver configuration file and other sensitive files.

Website Security Application – Manual monitoring to ensure website security is impossible. According to the best practices in website security, you must use a Web Security Solution, such as the Comodo cWatch Web, that will scan your websites, servers and applications for malware and vulnerabilities; and detect and prevent malware threats, zero-day vulnerabilities, DDoS attacks, and brute-force attacks.

Follow the above-recommended tips and best practices in website security to improve security for your website.