Tips for securing website – advice for optimizing your website security and avoiding hacking disasters.
You may think that you are not interesting for hackers and they will not attack your website… But, there are many reasons why would a certain person see something useful in hacking your site.
Your site can be used for spam, scam, stealing data, compromising your layout and similar stuff.
Hacking is regularly performed by automated scripts written to scour the internet in an attempt to exploit known website security issues in software.
Here are our top tips to help keep you and your site safe online.
Keep software up to date
It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as CMS or forum. When website security holes are found in a certain software, hackers are quick to attempt to abuse them.
Watch out for SQL injection
SQL injection attacks occur when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameter queries – most web languages have this feature and it is easy to implement.
Protect against XSS attacks
Cross-site scripting aka XSS attacks inject malicious JavaScript into your pages, which then runs in the browsers of your users, and can change page content, or steal information to send it back to the attacker. For example, if you show comments on a page without validation, then an attacker might submit comments containing script tags and JavaScript, which could run in every other user’s browser and steal their login cookie, allowing the attack to take control of the account of every user who viewed the comment. You need to ensure that users cannot inject active JavaScript content into your pages.
Beware of error messages
Be careful how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don’t leak secrets present on your server (e.g. API keys or database passwords). Don’t provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only the information they need.
Validate on both sides
Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers-only field. These can however be bypassed, and you should make sure you check for these validations and deeper validation server side, as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.
Check your passwords
Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but it is also equally important to insist on good password practices for your users to protect the security of their accounts.
Avoid file uploads
(deny from .htaccess) Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded, however innocent it may look, could contain a script that when executed on your server, completely opens up your website.
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>
Use HTTPS
(HTTPS is a protocol used to provide security over the Internet) HTTPS guarantees that users are contacting the server they expect, and that nobody else can intercept or change the content they’re seeing in transit.
Get website security tools
Once you think you have done all you can then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.