Of all of the potentially catastrophic scenarios that could befall your website, an unsecure server is high on the list. However, avoiding this is something that’s almost completely under your control.
Although you can’t guarantee that malicious users won’t attack your site, you can severely restrict the likeliness of them being successful, both now and in the future. Even simple tasks such as carrying out a ‘credentials audit’ will help practically any site.
This piece will look at some basic techniques for protecting your server. However, before this, let’s quickly discuss the overall importance of keeping your site’s server secure. Let’s get started!
The importance of securing your WordPress website’s server
We almost feel bad for mentioning site security, given that it’s likely a subject you’ve heard plenty about already. However, the reason it’s repeated so much is because we’re still seeing the same security issues crop up time and time again.
For example, a quick glance at the OWASP Top Ten will show little movement in prominent security concerns. In fact, the list remains remarkably similar year after year. This tells us that the basics of keeping sites safe aren’t being followed properly.
In a nutshell, securing both for your site and server is crucial. Securing your site stops malicious attacks, while keeping your server locked tight halts those attackers from accessing your data in the first place. This offers much more of a security benefit, as you can imagine. With this in mind, let’s get down to the nitty-gritty!
4 basic measures to secure your website’s server
To help keep your site safe, we’re going to show you a few different ways to secure your server below. First of all, we’ll look at the most important consideration – blocking access to the server at source.
1. Employ a server-side web application firewall
For the uninitiated, a Web Application Firewall (WAF) does what it says on the tin. It’s a way of protecting web applications, sites, and practically anything sitting on a server deployed on the web. They’re vital for offering a virtual barrier between your ‘good’ server, and ‘bad’ traffic, such as bots and hackers.
Implementing a WAF is much simpler than it might appear. In fact, there are few quality solutions we’d recommend, especially for server-side options. However, before discussing these, let’s just quickly differentiate between server- and application-level tools:
- Server-side: This will halt malicious traffic as it tries to enter your server, which obviously offers greater protection.
- Application-level: This will offer little to no server protection, as the primary goal is to only protect your site.
Given the above, you’ll want to focus on server-side options. In our opinion, two of the best options are Cloudflare and Sucuri. The latter even has a WordPress plugin to protect your site even further, and the whole suite of services are of stellar quality.
2. Choose a high quality web host
The importance of a stable and secure website can’t be understated. In fact, it’s arguably just as crucial as any other consideration you make. The quality of your server is directly proportional to the quality of your host. As such, you’ll want to pick the best option.
There are plenty of ways you can judge a web host, but specific to your security needs, checking out the under-the-hood specifications is a good place to start. Furthermore, ascertaining just what they offer when it comes to security provisions out of the box, and taking into account how ‘current’ their technology is also helpful.
You can also check out online reviews to see if people have particular complaints about security. And remember, as a general rule a well-know, long-established hosting provider will be trustworthy.
GoDaddy offers a range of safe and secure hosting options, including WordPress hosting.
3. Select a secure web hosting plan
After you’ve picked a web host, it’s time to choose a plan. Getting this right is important as it can make or break your site’s (and by extension, your server’s) security. If you’re unsure about how they differ, consider the range of available plans.
As a general rule of thumb, lower costs will mean a lean towards shared servers. This isn’t going to be the best choice for enterprises or other high-traffic sites, as you’re ultimately sharing space and resources with several other sites.
While the chances of a successful hacking attempt are slim, poor security on one site hosted on the server could impact others. This would obviously be a particularly grim way of experiencing a site breach.
Depending on your needs, you may wish to consider a virtual private server from GoDaddy, or if you're creating a large, high-traffic site then you should think about opting for a dedicated server.
4. Make sure your credentials are solid and safe
Finally, we’re taking a bit of creative licence when it comes to server security. This is because the credentials you choose aren’t necessarily going to protect your server per se. However, they represent a good ‘best practice’ to implement, and we’d wager this impacting your approach to security elsewhere on your site.
Even so, you’d be surprised at how many sets of credentials you need to run a site. Here are just a few locations where you’ll need a login:
- Your hosting account.
- Server-based email.
- Third-party server tools, such as a Content Delivery Network (CDN).
- Your server itself, in order to edit files.
- Your site (for example, the WordPress login page).
Even keeping track of these could be tough without a plan in place, and that’s without making sure the credentials you enter are encrypted. If they’re not, data can be siphoned off by hackers, so making sure connections are made through Secure Shell (SSH) is a good idea. Remember, this also includes File Transfer Protocol (FTP) clients if you use one.
To finish off, you’ll also want to choose good passwords. Here is our simple advice on creating a secure password:
- The length of your password is important. As a general rule, the longer your password, the better. This is because a long password makes it harder for an automated programme to "guess" your password.
- Single words, even if they're long, are usually a no-no, especially with shorter passwords. However, there’s nothing wrong with butting together several words to make a harder-to-crack password. In fact, the popular XKCD webcomic took a funny look at this in a now-famous strip a few years ago.
- Adding special characters (such as numbers and symbols) can enhance the solidity of a password.
As you can see, password strength could directly affect server security, so it’s a good idea to consider this. What’s more, you’ll often take those considerations into your day-to-day security provision, meaning all aspects of your work get a security boost.
Lots of pieces talk about website security, and that’s because it never stops being an important concern. However, less is discussed about securing your actual server. Some of this is down to a lack of knowledge on the subject, but other times its a resignation that there’s only so much you can do.
Even so, there are still steps you can take to lock down your site at the server level. Let’s recap them now:
- Implement a server-side WAF to stop malicious users before they can access your site.
- Make sure you chose a web host that prioritises security.
- Choose a web hosting plan that can handle the level of security you wish to implement.
- Having strong credentials is a fundamental consideration.