Secure website

Every website is a target for hackers. Hackers no longer just focus on large or important websites. They use automated scripts to scan random websites for known security vulnerabilities. That's why it's crucial to have a secure website.

Why a secure website is important

Hackers don’t discriminate between small and large websites. In the past, they often caused visible damage, like posting political messages on websites (defacing), but now the focus is much more on financial gain. A hacked website can be exploited to:

Steal banking or personal information (phishing)
Send large amounts of spam (spamming)
Take down other websites (DDoS attacks)
Infect visitors with viruses or "Trojan horses"

Infecting computers with viruses and Trojans can lead to theft of personal and banking data, sending spam, adding the computer to a botnet, or encrypting files for ransom (ransomware).

How to have a secure website

To have a secure website, ensure regular updates of your CMS and the installed extensions. Remove any extensions you no longer use, and make regular backups. This way, you protect your website and visitors from potential attacks.

Stay up to date

Software can always have bugs, so it's important to keep everything updated. This applies to your CMS (like Joomla) as well as installed extensions. Don’t forget to update the server software too. PHP versions below PHP 8.1 no longer receive bug and security updates, so make sure you’re always running a supported version.

Backups

Regularly back up your website. This is especially useful when making significant changes, like a software upgrade, installing an extension, or editing a lot of content. Important: a backup that hasn’t been tested isn’t a real backup. Test your backups from time to time by restoring them in a different location, like on a PC.

Do you have a secure website?

Why is a secure website important?

Data protection

Many websites process personal data such as names, email addresses, physical addresses, and passwords. A secure website ensures that this data is only accessible to those for whom it is intended, and not to malicious actors attempting to gain access to this information.

Protection against cyberattacks

Unsafe websites are vulnerable to various types of cyberattacks, such as hacking, malware, and phishing. If a website is hacked, it can be used to spread harmful software or steal sensitive information. This can lead to financial damage, as well as a loss of user trust.

User trust

A secure website, recognizable by the SSL certificate and the "https" protocol in the URL, gives users confidence that their data is safe. Users are more likely to use a website they consider secure, especially when entering personal or financial information.

Higher search engine ranking

Search engines like Google place great importance on the security of websites. Websites with an SSL certificate (https) have received higher rankings in search results in the past. Websites without an SSL certificate (http) are no longer easily shown by some browsers, as they are flagged as untrustworthy and may be ranked lower in search results.

Compliance with regulations

In the European Union, the General Data Protection Regulation (GDPR) requires companies to protect personal data. Failure to comply with these rules can result in fines and legal issues. A secure website helps companies meet these regulations and avoid legal problems.

Reputation damage

A security breach or data leak can severely damage a company's reputation. Customers and users are less likely to do business with a company that fails to protect their data, which can result in loss of customers and revenue.

Financial damage

A hacked website can result in direct financial losses. Think of recovery costs, legal fees, and possible loss of revenue due to downtime or reputation damage. Having a secure website minimizes these risks and protects the company from unexpected costs.

How do you ensure a secure website?

Use of HTTPS (SSL/TLS certificates)

Install an SSL/TLS certificate to ensure that data transmitted between the user's browser and your website is encrypted. This changes your website URL from "http" to "https", which is essential for data security.
Transport Layer Security (TLS) ensures confidentiality and integrity of the data being transmitted.

Regular software updates

Only use software from trusted sources.
Ensure your website and all used software is up-to-date, including the content management system (CMS), plugins, and server-side software (PHP).
Outdated software often contains vulnerabilities that can be exploited by hackers. Regular updates are essential to fix these weaknesses.

Strong passwords

Enforce the use of strong passwords for all users. This is especially important for administrators and other staff with elevated access levels.
Use a password manager to generate and store complex passwords.
Consider applying two-factor authentication (2FA) for added security in login procedures.

Limit user permissions

Grant users only the minimal access they need to do their work. Limit administrator rights and ensure they are only given to those who truly need them.
Remove inactive accounts.
Avoid using "admin" as the default username.
Protect the admin login with an extra .htaccess password or additional URL token.

Use a firewall

A WAF on the server protects your website against common threats like SQL injections, cross-site scripting (XSS), and other attacks.
A WAF monitors and filters the traffic coming to your website. It can block malicious requests before they cause damage. For example, with Fail2ban, you can temporarily block accounts after a certain number of incorrect login attempts.

Regular backups

Make regular backups of your website. Store them in a secure, external location. This allows you to quickly restore your website if something goes wrong, such as a hack or server problem.
Automatic backups are recommended so that you always have a recent version of your website ready to restore.

Monitoring and logging

Continuously monitor your website for suspicious activity. You can use tools or services to detect break-in attempts, suspicious login attempts, or changes in files.
Keep logs of all traffic and activities on your website, so you can investigate suspicious patterns and respond quickly to attacks.
Joomla has a built-in Action Log feature that can log certain user activities.

Protection against DDoS attacks

Consider using services like a Content Delivery Network (CDN) or specific DDoS protection services such as Cloudflare. This helps protect your website from Distributed Denial of Service (DDoS) attacks that can disrupt your website's accessibility.

Secure your database

Ensure your database access is well protected. Place a MySQL database server behind a firewall and use SSL tunneling.
Use complex passwords and limit access to the database to only the systems that need it.
Use encryption to secure sensitive data, such as passwords, in your database. Use strong encryption techniques, such as a modern SHA hashing algorithm with a unique "salt" value, for added protection.

Use secure hosting

Choose a reliable and secure web hosting provider that regularly performs security updates, offers firewall protection, and has access to server logs. The server should be equipped with modern PHP/MySQL versions.
Consider managed hosting where the provider proactively applies security patches and monitors your website.
Arrange a maintenance contract to ensure your website software updates are regularly installed.

Remove unused software

Remove old extensions, plugins, files, or scripts that are no longer in use. If they are no longer updated, they could contain security vulnerabilities that attackers could exploit.

Content Security Policy (CSP)

CSP is part of the HTTP Security Headers. It is an extra security layer that helps prevent attacks like cross-site scripting (XSS). It allows you to restrict the sources that can be loaded on your website (e.g., JavaScript, CSS).

How we make your website more secure!

Stick to the core

We build and maintain websites as much as possible using the standard functionality of Joomla. We limit the use of external extensions and plugins to only what is strictly necessary because:

Easier management: Fewer extensions make it simpler to manage your website and resolve issues.
Fewer software conflicts: With fewer external extensions, you reduce the risk of conflicts between different software components.
Faster updates: You can perform upgrades faster and easier because there are fewer compatibility issues with third-party extensions.
Better performance: Every extension adds extra code, which can slow down your website. By sticking to the Joomla core, your website remains faster and more efficient.

Regular updates

With a technical maintenance contract, we ensure that both Joomla and all installed extensions on your website are kept up-to-date. Any security issues are resolved as quickly as possible.

Backups

We advise you on setting up a backup regime. If you have a technical maintenance contract, we regularly back up your website. These backups are stored offsite so we can quickly restore your website in case of problems.

Security optimization

We scan your website for known vulnerabilities. We provide technical support to fix these and install TLS/SSL certificates.

Restoring hacked websites

If your website does get hacked, we help you with the recovery. We analyze how the hack occurred, restore the website, and implement security measures to prevent it from happening again.

Want to know more?

Backups

Make backups regular. Backups are useful when doing major changes to the website, such as a software upgrade, the installation of an extension or many textual changes. An untested backup is not a backup. Test the backups by carrying out a restore on a different location, e.g., on a PC.

Up to date

Software may contain errors. Make sure all software is up-to-date: both Joomla as the installed extensions (extensions). Make sure that the server software is up-to-date. PHP versions prior to PHP5.5 are no longer supported with bug and security patches.

Website

Do you want an optimised professional website?

More about websites

Support

Do you need professional support for your website?

More about support

Questions?

Get in touch with us for all the possibilities!