Making Your New Website Super Secure
Use a secure password and change it regularly
As discussed in the previous tip, it is important to also change your password. Secure passwords should consist of letters and numbers and should not be simple words like 'password' or '12345'. Quite often people try to get a little smart with passwords and try things like 'pa55w0rd' however hackers fully expect these types of passwords to be used so try to avoid them. Instead try to make your passwords more random, perhaps taking the first letter from a phrase that you would know and remember.
Remember to keep up to date backups
It is important to take regular backups of your website to help get you back up and running in the event of any kind of issues, whether it be corruption of your website, loss of data (or accidental deletion) or even in the event of security issues. We go in to great detail on this in our guide on how to back up your website, but briefly here we will give a mention to the great Backup .
Secure your administrative email address.
Make sure that the admin email address that you use to login to your secure website is secure. This email address should be completely different from any addresses listed on your site's contact page. Keeping this email private will help prevent scammers from sending you phishing emails disguised as email from your host company.
Delete your installation folder.
Once you have completed the installation, it is not necessary to have the installer folder on your computer. It is possible for a hacker to remotely get into your computer and run the installer again. Once they get in, they can empty your database and control your website and content. Another option is to rename the installation folder rather than delete it.
Injection
These occur when Web apps send user input and other untrusted data to an interpreter, such as a SQL database. Attackers like those working for Gonzalez find these bugs using scanners and can exploit them to steal password tables or other sensitive data. The flaws can also be milked to carry out denial of access attacks or even completely take over the underlying Web server. Individual vulnerabilities can be so numerous they're often akin to garden weeds that are hard to completely eradicate. The best way to prevent them is to rely on Web apps that sanitize user input before handing it off to a back-end server. Owasp's preferred way of avoiding injection attacks is to employ "a safe API which avoids the use of the interpreter entirely or provides a parameterized interface."
Keep software up to date
It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them. If you are using a managed hosting solution then you don't need to worry so much about applying security updates for the operating system as the hosting company should take care of this. If you are using third-party software on your website such as a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues. WordPress, Umbraco and many other CMSes notify you of available system updates when you log in.
Error messages
Be careful with how much information you give away in your error messages. For example if you have a login form on your website you should think about the language you use to communicate failure when attempting logins. You should use generic messages like “Incorrect username or password” as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field.