Easy Steps to Secure Your Website from Hackers
How to Make Up Secure Passwords That Are Memorable
11 August 2020There are many reasons for you to protect your website from hackers. If you have an eCommerce website then you would probably have already faced a hacking attempt. Hackers target even simple websites and you would not even guess the reason. You definitely need website security.
Keep software up to date
It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them.
If you are using third-party software on your website such as a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues.
Shield your website against SQL injection
An SQL Injection attack is when an attacker uses a URL parameter to manipulate your database and thereby gain access to your site. You are also at serious risk of becoming a victim of an SQL Injection attack if you are currently utilizing a standard Transact SQL, because it’s very easy for an attacker to type in a rogue code into your query to gain access to your data and information.
To stop this from happening to you, you need to use a parameterized query, which is simple to implement as most web languages have it
Guard Against XSS Attacks
An XSS, or Cross-site Scripting, attack stands in contrast to other kinds of attacks (such as an SQL Injection like we talked about previously) in that they are designed to attack the users of an application or server rather than the application or server itself.
Attackers accomplish this by injecting a malicious JavaScript code into the output of a web application. They can inject this malicious code into your search fields, forums, comments sections, and cookies. Any of these areas are very vulnerable to Cross-site Scripting.
By installing the malicious code, the attacker will be able to gather cookie data, which could contain sensitive user information such as their credit card numbers, session IDs, and login information.
The best way to protect against an XSS attack will be for your Web application to use an advanced SDL, or security development lifecycle. The purpose of an SDL is simply to limit the number of coding errors in your application
Check your passwords
Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.
Passwords should always be stored as encrypted values, preferably using a one way hashing algorithm such as SHA. Using this method means when you are authenticating users you are only ever comparing encrypted values. For extra website security it is a good idea to salt the passwords, using a new salt per password.
Limit file uploads
File uploads are a major concern. No matter how thoroughly the system checks them out, bugs can still get through and allow a hacker unlimited access to your site’s data. The best solution is to prevent direct access to any uploaded files. Store them outside the root directory and use a script to access them when necessary. Your web host will probably help you to set this up.
If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not foolproof. Most images formats allow storing a comment section that could contain PHP code that could be executed by the server.
Use HTTPS/SSL
Use an encrypted SSL protocol to transfer users’ personal information between the website and your database. This will prevent the information being read in transit and accesses without the proper authority.
If you have anything that your users might want private, it’s highly advisable to use only HTTPS to deliver it. That of course means credit card and login pages (and the URLs they submit to) but typically far more of your site too. A login form will often set a cookie for example, which is sent with every other request to your site that a logged-in user makes, and is used to authenticate those requests. An attacker stealing this would be able to perfectly imitate a user and take over their login session.
Watch Your Email Transmission Ports
A prime target for attackers to access your information will not be your actual website but rather your email.
If you are communicating through the IMAP Port 143, POP3 Port 110, or SMTP Port 25 ports, then your email transmissions are NOT secured. If, on the other hand, you are communicating through the IMAP Port 993, POP3 Port 995, or SMTP Port 465, then your emails are secured because those ports are secured via encryption.
Beware of error messages
Be careful with how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don’t leak secrets present on your server (e.g. API keys or database passwords). Don’t provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only the information they need.
Back-up frequently
Just in case the worst happens anyway, keep everything backed-up. Back up on-site, back up off-site, back up everything multiple times a day. Every time a user saves a file it should automatically back up in multiple locations. Backing up once a day means that you lose that day’s data when your hard drive fails. Remember every hard drive will fail.
