How can I prevent my site from being compromised?

How can I prevent my site from being compromised?

Application exploits are a regular feature of the eCommerce landscape, but in most cases they can be avoided. When an application is compromised, the methods used are often involve something simple, such as a missed security patch or leaked user credentials.

If you were recently compromised and have yet to identify the cause, start with the list below before proceeding to more exotic exploits.

Or, even better, adopt these as best practices before you are compromised. As with medicine, so with site security: ounce of prevention, pound of cure.  

Outdated software

Applications do not age well. This is true for nearly every content management system (CMS); WordPress, Magento, ExpressionEngine, and countless others gain serious vulnerabilities over time. This is not a reflection on the developers for these applications, just the nature of the beast. Maintainers for credible applications will release announcements for new vulnerabilities as they are found, and quickly release a patch that blocks them. If you are not already a subscriber to these maintainers’ mailing lists or feeds, then doing so will keep you informed, current, and much less likely to be compromised.

Third party extensions and custom code

Even if your CMS is current, any outdated third party extensions can likewise expose your site. It is not unusual for a site administrator to add ten or more extensions to their application for additional features and functionality. Not all extensions are created equally, and each must be watched for vulnerabilities and updates.

Custom code cannot also cannot be ignored. While not be as obvious or widespread as publicly available extensions, regular code audits and testing will prevent many problems before they start. , as are vulnerability scans from an Approved Scanning Vendor (ASV) and penetration tests against your application.

Weak or shared passwords

Weak passwords are an all-too-common vector for malicious attacks. Simple or obvious passwords (birthdays, names of family members or pets, your social security number, and so on) are easily obtainable, and brute-force attacks can make millions of guesses per second.

Even a strong password can fail if shared carelessly between individuals or applications. If you duplicate passwords across applications, it takes only one successful attack to threaten all of those applications.

For a list of best practices regarding password management, see How to create a secure password.

Vulnerable logins and services

Maintaining proper access control lists (ACLs) for your application is also crucial for proper security. Nearly every CMS has an administrative login to manage the application. Moving these logins to a non-standard web address, or even better, restricting access to only your IP address will do much to hamstring potential attackers. Other ancillary applications, such as file managers and administrative tools like PHPMyAdmin, should also have access locked down to your IP address as well.


For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.


Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
How to add SSH keys to your Nexcess Cloud account
Added on Tue, Oct 23, 2018
How to view your Account ID and PIN
Added on Thu, Jan 24, 2019
How to create a secure password
Added on Wed, Dec 26, 2018
How to create SSH keys in Windows with PuTTY
Added on Wed, Dec 26, 2018
How to send secure data to Nexcess support
Added on Tue, Aug 20, 2019
How Nexcess limits bad bots
Added on Mon, Apr 15, 2019
How to transfer files to a server with SFTP
Added on Wed, May 23, 2018
How to enable SSH access
Added on Mon, Dec 17, 2018
How to use the Nexcess Secure Password Generator
Added on Tue, Jan 15, 2019
How to password-protect web pages with .htpasswd
Added on Wed, Dec 26, 2018