How to Fortify Your Website Against Hackers

October 21, 2014 Timothy Online Presence

Another week, another hacked company. Today its Staples. Last week it was Home Depot. Next week you?

Every year the Arkansas SBTDC gets one or more calls from small businesses whose websites have been compromised. Most often its a WordPress site and other times one of the popular shopping carts. In all cases these penetrations by hackers could likely have been prevented.

Preventative Measures

1. Choose strong passwords. It often seems every time people see the word password, they immediately think spy movie. “What the password?” “Cheese.” A secure password is NOT a single word or two words or even one or two words with a date. A secure password is a long string of seemingly random characters, numbers and punctuation. “But I can’t remember a long randon string!” You don’t have to. Choose a favorite phrase or saying and use the first letter of each word. Ensure you follow the rules for capitalization and include punctuation. For example, Charles Dicken’s “It was the best of times, it was the worst of times,” becomes “Iwtbot,iwtwot,”. Need numbers? Then pad your password fore and aft. Adding 3, 5 and 7 we could get “357Iwtbot,iwtwot,357″. This password meets most security criteria and is long enough to prevent brute force cracking, except by government cryptographers. All you have to remember is your favorite quote and your padding sequence.

2. Change the administrator account and dashboard location. Most software installs with an account named “admin” and with the backend administration dashboard in the /admin directory. Hackers know this and use it to their advantage, so change them! WordPress and popular shopping carts provide instructions on renaming your admin account. Who expects SweetiePie58 to be the all powerful administrator account?.

Not only can you change the account name, often you can also change its location. Hackers use scripts that search the Internet looking for If your dashboard isn’t in the /admin directory, then they are unlikely to discover its location without considerable work. They’re lazy and there are millions of easier targets other than you. WordPress, due to its complex design, doesn’t work with a renamed admin directory, but many ecommerce shopping carts do.

3. Harden your site against hackers. Security instructions for most major software packages exist. Few business people take time to implement them. Don’t become a statistic, take the extra time to apply the best practices for your website’s content management system. Usually this consists of copying and pasting a few lines of text to your sites .htaccess file. Be sure to make a backup copy of the .htacess file before you copy and paste, just in case you goof.

4. Keep your software updated. Most hackers exploit known, published weakness in your website’s software. Keep it updated and patched. Usually this consists of nothing more than accepting your website software’s offer to update itself or a plug-in. If you’re not running version 1.1, then the well known version 1.1 bug can’t be used to break in.

5. Don’t ever store credit card information. Don’t store financial information on your web server or in a database. In fact, you should strongly consider offloading the processing and as much of the liability as you can. Hand your customers over to the merchant processor’s site, such as or PayPal, before any financial information is entered. After the transaction, the merchant processor will send your customer back to your site. If you do decide to store credit card details, then ensure your site is PCI compliant.

If you need to discuss your merchant processes, you can make an appointment with an Arkansas SBTDC business consultant by calling 800.862.2040.


About Timothy Lee

Tim, the Arkansas Small Business and Technology Development Center's webmaster and technical training specialist, has been with ASBTDC since 1995. He retired from the U.S. Air Force with the rank of master sergeant. He's a bit gung-ho, turns cat food cans into cook stoves, and keeps packing ASBTDC equipment for rapid worldwide deployment, but he's your "go to" guy for technical solutions and full-scale disasters.

Mobile Payments, Security, WordPress,

Comments are currently closed.