Websites are compromised all the time, and if you think that your site does not have anything worth being hacked for, think again. Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software.
Here are some tips to help keep you and your site safe online.
Table of Contents
Keep software up to date
By ensuring you keep all software up to date, you keep your site secure. Ensure that you regularly update the server operating system and any software you may be running on your websites, such as a Content Management System (CMS) or an online discussion forum. When hackers find website security holes in software, they quickly attempt to abuse them.
If you are using a managed hosting solution, you shouldn’t worry much about applying security updates to the operating system, as your hosting company should take care of this.
Are you using third-party software on your websites, such as a CMS or forum? Be sure to apply any security patches quickly. Most CMS have a mailing list or RSS feed that details website security issues. In addition, WordPress and many other CMS constantly notify you of available system updates, so pay attention.
Check your passwords
It is crucial to use strong passwords to your server and website admin area. It is also vital that you insist on good password practices for your users to protect the security of their accounts. Enforce strong password requirements, which will help protect their information in the long run. Many CMS provide user management with a lot of these website inbuilt security features that you can use.
Protect against Cross-site scripting XSS attacks
Beware of error messages
Limit how much information you give away in your error messages. Be sure to provide concise error messages to your users to ensure that they don’t leak API keys or database passwords. Do not provide full exception details as these can make complex attacks like SQL injection far easier. Instead, simply keep detailed errors in your server logs, and show users only the information they need.
Validate both sides
Validation should be done on both the browser and server-side. Some simple failures like mandatory fields that are empty or when you enter a letter into a “numbers only” field can be noticed by a browser. These can however be bypassed, and you should ensure that you check for these validations as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause unwanted results on your website.
Avoid file uploads
Allowing users to upload files can be a significant website security risk, even if it is a simple avatar. No matter how innocent a file may look, it could contain a script that ultimately leaves your website vulnerable when executed on your server.
If your site allows users to upload images, you cannot rely on the file extension(.jpg, .png etc.) or the mime type to verify that the file is an image, as these can easily be faked.
Even opening the file and reading the header is not enough, as most image formats allow storing a comment section that could contain PHP code that the server could execute.
The most effective solution is to prevent direct access to uploaded files all together. Any file uploaded to your website is stored in a folder outside of the webroot. If your files are not directly accessible, create a script to fetch them from the private folder (or an HTTP handler in .NET) and deliver them to the browser.
This is a protocol used to provide security over the Internet. For example, HTTPS guarantees that users are talking to the server they expect and that nobody else can intercept or change the content they see in transit. In other words, there is encryption.
A login form will often set a cookie, for example, and this is sent with every other request to your site that a logged-in user makes and is used to authenticate those requests.
An attacker stealing this information would be able to imitate a user and take over their login session perfectly. To defeat these kinds of attacks, seek always to want to use HTTPS for your entire site.
Get website security tools
One of the many effective ways of testing your website security is to use some website security tools, often referred to as penetration testing.
There are many paid and free products to assist you with this. They work with similar scripts hackers use to test all known exploits and attempt to compromise your site using some of the previously mentioned methods.
Here are some free tools that are worth exploring:
The results from automated tests can be daunting, as they present a pool of potential issues. Focus on the critical issues first. Each case reported usually comes with an explanation of the potential vulnerability.