Even for those who don’t believe their site has any value to hackers, hacking is a very real threat. It is important to understand that websites are literally compromised all the time, and the majority of security breaches are not intended to steal your data or deface your website, but rather to use your server as a spam email relay, or to set up a temporary web server to serve illegal files.
The most common instances of hacking are performed by automated scripts that are written specifically to scour the Internet, attempting to exploit commonly known website security issues found in software.
Take a look at these top tips to ensure you are keeping yourself and your website safe while online.
#1. Keep Software Up to Date
This first tip may seem obvious to some, but it is not possible to underestimate the value. In order to keep your site secure, it is critical to ensure that all software is kept up to date. This applies to both the server operating system and any software, including CMS and forum, that may run from within the website. Hackers are quick to attempt to abuse any security holes in software that can be found.
There is no need to worry so much about the application of these important security updates when using a managed hosting solution, as the hosting provider will do this on your behalf.
It is important to quickly apply any security patches when using third party software on your website. Most vendors have a mailing list or RSS feed that clearly details any website security problems, and immediately upon logging in, most of them let you know of any problems.
#2. SQL Injection
SQL injection attacks occur when a web form field or URL parameter is used by the hacker to gain access or manipulate the database. It is simple for attackers to insert rogue code into your query when using standard Transact SQL, which is used to change tables, obtain information and delete important data. By always using parameterised queries, this problem is easily avoided, and most web languages come equipped with this feature and it is easily implemented.
#4. Error Messages
It is important to be careful how much information you disclose from error messages, such as the language used when a failed login message is displayed. Messages should always be kept generic, and should not give details as to whether or not part of the query was correct. If an attacker attempts to get a username or password for a brute force attack and the error message indicates which part of the query is wrong, it makes it easier for the attacker to determine which part is wrong and gain entry from other attempts.
#5. Server Side Validation/ Form Validation
When done on both the server side and the browser side, validation is always best. The browser is capable of detecting simple failures such as empty mandatory fields, but these can be bypassed and it should be ensured that these validations are checked, as well as deeper server side validations, as failure to do so can lead to the insertion of malicious or scripted code into the database or to unwanted results on your website.
The fact that complicated passwords are wise is no secret, but not everyone listens to this advice. Using strong passwords is crucial in relation to your server and website admin areas, but it is equally as important to insist users follow good practice passwords in order to maintain the security of their accounts.
To better protect their information, password practices should be enforced that require a minimum of eight characters, and include at least one numerical digit as well as one upper case letter.
Passwords must always be stored as encrypted values, and a one-way hashing algorithm is preferable, meaning users are authenticated by comparing encrypted values. Salting passwords is a great way to give additional security to passwords.
If an attack takes place, the use of hashed passwords could potentially help to reduce the damage, as they can not be decrypted. It makes it even more difficult for attackers to hack when using salted passwords, considerably slowing the process and making it quite costly to execute.
On a positive note, many CMSs provide user management solutions out of the box that have many of these security features built into them, with only minimal tweaks and adjustments needed to have the ideal level of security.
#7. File Uploads
It is a huge security risk to allow users the ability to upload files of any sort to your website. Any uploaded file could potentially carry a script that when executed opens up your website. It is critical to treat all files with great suspicion if file uploading is permitted, and file extension or mime type is not a reliable means of identification as they can be easily faked. Most image formats have a space for a section of comments that could contact unsafe PHP code.
Restricting users from executing any file they upload is the best way to prevent this. By default, web servers do not attempt to execute files containing image extensions, but the extension check cannot be completely relied on.
Options to work around this include changing the name of the extension while uploading or changing file permissions to ensure the correct file extension. The most recommended solution is to completely prevent direct access to uploaded files. This ensures that any files uploaded to your website are stored or stored as a blob in a folder outside the webroot in the database. This will require a script that will fetch and deliver the folders to the browser.
Most hosting providers handle server configurations for you, but you will need to check a few things if your website is hosted on your own server, such as:
- Ensuring the configuration of a firewall that blocks all non-essential ports. If there is no access to the server from an internal network, this may not be possible, as ports would need to be opened to allow things like
- uploads and remote logins.
- If you are allowed to upload files from the internet, use only secure means of transport, such as SFTP or SSH.
- Have your database on a server other than your web server, if possible. This means that it is not possible to access the database server directly from the outside world, and only your web server can access it. The risk of data exposure is minimized by this.
- Never ignore limiting your server’s physical access.
SSL is a security protocol commonly used over the Internet. Using a security certificate is recommended whenever personal information is passed between a website and a web server or database. This information could be looked at by attackers, and if the information is not kept safe, it is likely that they could capture it and use it to gain access to accounts and user data.
#9. Web Security Tools
It is important to test the security of your website once you have put all the necessary measures in place. This can be done using website security tools, and is often referred to as penetration testing.
Many products are available, many of them free, to help with this assignment. For all known exploits, they use a method similar to that of script hackers and testing, trying to compromise the system the same way attackers would.
Many highly recommended free tools are available to consider, including:
Netsparker is a free trial tool available for both SQL injection and SSL injection testing.
The most sophisticated open source security scanner claims to be OpenVAS. Tests for known vulnerabilities in excess of 25 000. It should be noted that this can be hard to set up and requires the installation of an OpenVAS server.
Such automated tests, as they present a variety of potential problems, can produce somewhat daunting results, but the important thing is to concentrate first on the most critical issues. Issues reported usually come with an explanation and you may find that some of the medium to low threats are not actually problems at all for your website.
If you want to take things one step further, by altering POST/GET values, you may want to manually compromise your site. A debugging proxy can provide help by allowing you to intercept HTTP request values between the browser and the server. On a request, you may be wondering what should be changed, and the answer involves changing the parameter URL or cookie values.
These kinds should be very helpful in helping you to keep your website and information properly protected, and thankfully CMSes are equipped with a lot of website security features built in. However it is important to have some knowledge of the most common security exploits to ensure you are protected.