Use a Firewall on Your Web Servers - A firewall is your first line of defense against an attack. A firewall is simply software or hardware that keeps a firestorm of problems from propagating throughout the network. The firewall should be placed at all access points to the network, to improve your web server security. Installing a firewall won’t make your website hacker proof, but at least it’s a good starting point.
Enforce Strong Security Policy - Rules are of little value if they are not enforced. Don’t just ask users and administrators to use strong passwords, configure the requirement as part of your security policy. And run regular audits to ensure that the rules are being followed. As a matter of fact, it is while doing audits that evidence of a hack is uncovered, in a large number of cases.
Turn off Unused Web Services - Not only will your servers run faster, by having less to do, but turning off unused services will reduce the number of ways that your website can be compromised. Consider turning off FTP and remote control services and remove shells and interpreters (i.e. Perl) you don't need. If there are any unnecessary directories, delete those also.
Apply Patches and Software Updates - To stay ahead of new security threats, you must apply the software updates and patches that are provided by your software and hardware vendor. These updates will ensure that hackers won’t be able to exploit certain known vulnerabilities in your equipment.
Backup Your Data - Having backups ensures that you can recover your data should the worst happen. However, backups are of no use if they are not current. Ensure that you routinely backup your files and keep copies in a secure location, preferably offsite to protect them against theft or a fire on your premises.
It is OK to have a backup of the daily, or even weekly transaction records on your server. Keeping a copy there will allow you to quickly retrieve important data if the need arises. But just in case there is a complete failure of your server or your file storage system, you need to have copies stored offsite.
Limit Resource Access Rights - Regardless of whether certain users are perceived to be a threat, they shouldn’t have access to information they don’t need to do their work. Not even the manager should have access to everything, if he doesn’t need it to do his job. This limits the exposure your website will have, if the security of one account is compromised, or a user messes up some critical data. Be sure to delete inactive or dismissed employees as quickly as possible.
Access rights can also be maintained by isolating any mission-critical data or resource from the rest of the network, including any external network such as the Internet or an extranet. While this might not be practical in some instances, it is one of the most effective ways to protect a network or website against hackers, viruses and malware. These resources can be isolated by using a subnet, or by having a secondary server in another location.
Physically Secure Your Equipment - In addition to the risk of having your equipment stolen, leaving your network equipment and servers physically unsecured exposes your entire network to security breaches. You may have applied the latest patches and implemented the latest security measures, but if your equipment is not locked away, your efforts at securing your network may have already been compromised. You must keep the doors to your sever room and equipment rack closed.
Most of the equipment that you work with will come with reset buttons to bypass security measures, just in case the password is lost. If someone can gain physical access to your equipment they can reconfigure your equipment to suit their purpose. Consider a case where the network administrator has configured two routers to handle separate domains or subnets for security reasons. If someone has access to the routers they can use an Ethernet cable to connect the routers and bypass your security measures, especially if there are no other safeguard configured in your network architecture.