Making Sites More Secure

25 September 2009

Charities are more likely to have poor website security than organisations in other sectors, according to the Web Application Annual Security Report 2009. What kind of insecurities did the report find?

Not having account lockout mechanisms in place, for one. That’s why on my websites (which use the Joomla! CMS) I use a number of security extensions to aid in keeping them secure. Joomla! has one drawback where any web user can easily know the site is created in Joomla! by typing the URL to access the administration area (i.e. www.site name.com/administration). This makes hackers hack the site easily once they crack the id and password for Joomla!. To stop this I install the jSecure Authentication module to prevent access to administration (back end) login page without an appropriate access key.

For additional security, I can also install a plugin called Eyesite which keeps an eye on the website, alerting the client by email if any files, anywhere in the directory structure, are added, changed, or deleted.

Even with doing every little thingaling to keep a site secure you can't assume that you'll never be hacked. That's one reason it's very important to backup data on a regular basis. To do this I use an open-source backup component for Joomla! called JoomlaPack that creates a site backup that can be restored on any Joomla!-capable server.

Charities also frequently choose insecure passwords, which increase the chance of unauthorised access to accounts. Anything that can be guessed is really poor security and WikiHow has a helpful 8-step article on how to choose a secure password. Yay to web site security!