The most common point of failure for new sites is their susceptibility to spam, denial of service attacks and code vulnerabilities. What are the necessary steps to take to avoid all these?
Control Your Traffic
First and foremost is, there needs to be a protection against the evil scripts that constantly scan sites looking for security holes. This is the traffic that directly hits your site. The best way to implement this type of protection is to scan traffic before it hits your site. This can only be done by using a proxy service at the DNS level. It can be a separate VPS or cloud box with not very many resources that would scan your traffic and then redirect it to your main site. We use CloudFlare to relay traffic to our sites. Not all hosting providers support it as it requires some preliminary set up but we have set up all our servers to fully utilize it. CloudFlare manages all DNS requests coming to your site, use blacklists of dangerous IP addresses to block requests from them and cache images and scripts to save your bandwidth.
In addition, it’s important to have a script or plugin for your site’s software that can tell real visitors apart from bots that are just snooping around. It should also be smart enough not to block any legitimate search engine scans. We have developed a Protection Against DDoS plugin for WordPress which we eagerly share with our customers and partners that does just that and does it well.
Keep Your Software Updated
With latest versions of WordPress in particular it’s very easy to set up automatic updates of WordPress application as well as all of the plugins. If you haven’t done any customization work to your plugins or your theme, this is a must-have feature. Enable it as quickly as you can. There are services on the Internet that allow to manage multiple sites from one location and set up automatic updates too. We are currently in development of our own plugin that would allow smooth upgrades even if there was some customization done to plugins.
Disable and Outsource All Email Services
If you have your emails on the same server your website is one, you will have issues! It’s just a matter of time. There are a lot of regulations about how emails should be sent and how bounced or unsolicited emails should be handled that it would require a long process to make everything work perfectly. Therefore, it’s better to not have your emails on the same server where your web site is. There are two parts to it:
1 – Emails that are sent from your site
2 – Emails that you connect to from an email program or webmail
Everything your site sends can be overwhelming but if you relay that through a service like Mandrill you will be able to actually see what goes out (they have very nice reports) and be able to make the necessary adjustments.
As far as regular emails use services like Gmail or Outlook (although they are pretty expensive) or our dedicated email service. Most providers have email services enabled by default, so you will have to ask them to disable them for you and help you set up the once that were described above.
Disable Comments on Your Site
Replace comments on your site with Facebook comments or disable them completely if you don’t need them.
Use Strong Passwords
Some online attacks can successfully guess your passwords if they are weak. We have covered this in our Creating Strong Passwords and Avoiding Weak Ones article.
Scan Your Computers for Viruses
This is the most common reason why your account would get hacked. Some viruses have abilities to log in with your passwords and then do whatever they need to do to your account to compromise it. Prevent this by using very strong AntiVirus software like Kaspersky Antivirus.