So you have your newly built website up and running. And it’s a beautiful thing to see. It has all the bells, whistles and optimization you could possibly need.
But have you managed to properly protect your website from hackers?
Even today, especially on a small, personal level, we launch our sites with little real security. Mostly because we don’t believe what we bring to the table is going to interest a hacker. After all, why would they care for your blog about cupcakes or your T-shirt startup?
The majority of security hacks have nothing to do with you or the content of a website. Hackers break into your servers for their own nefarious purposes, such as to use your site as a relay for spam or to create a temporary server to upload files of an illegal or inappropriate nature. Some hackers do it simply to learn the ropes.
Typical hacking is the result of automated scripts designed to scour the Net. These scripts are on the prowl for known lapses in security. They find it, crawl in and get comfy on your dime.
If you want to be online, it’s best you do whatever it takes to protect your website from hackers. Here are some tips for doing that.
Manage Your Software
Keeping software up to date is key to securing your site from hackers. This means making sure all your software and the server operation system are on point all the time. Hackers are looking for the weaknesses that updates circumvent.
If your site utilizes third-party solutions for CMS or forums, track and quickly apply new security patches. Reputable vendors keep a RSS feed or email notifications detailing website security issues. CMSes – including Umbraco and WordPress – will notify users of updates whenever you log into their sites.
If your site is on a managed host, you probably don’t need to worry about updates as the host will take care of it in the background. Just make sure you know they’re doing that.
XSS refers to cross site scripting. In this situation, hackers try to slip Java or other scripting code into your web form. If successful, they can run malicious code on any visits to your site. If you create a form, make sure you assess submitted data. Also, strip out or encode HTML.
Hackers use an URL parameter or web form field to access or manipulate databases. This is called an SQL injection attack. A lot of sites use standard Transact SQL. For hackers, it is surprisingly easy to insert code into that query, giving them the authority to change tables, delete data and pull information. Instead of standard SQL, use parameterized queries. This feature is in many web languages.
In their initial explorations, website developers feel they need to be perfectionists. They’ll create error messages for worst case scenarios and, thinking they’re being thorough, give away information hackers can use. A good example is explaining in detail why a person cannot login into the site. The newcomer gives specifics about what went wrong instead of generic messages that only let the user know they goofed. Attackers will be quite aggressive to hack a user ID or password. When the error message supplies them with unique information, they know what to focus on in continued attempts.
Form & Server Side Validation
Validation has to be performed on the server and browser side. Browsers are subject to failures like empty mandatory fields or when text is entered in number-only fields. These are easily bypassed, but one has to make sure to check for these and deeper validation on the server side. Not doing so can result in malicious code insertion into your databases. It can also cause undesirable actions in your website.
Enforcing strong password requirements is essential. The first step any hacker takes into breaking your security is through logins. Passwords need to be complex and user IDs unique. You have to insist on good password practices to secure accounts and your website. Store passwords with encrypted values and authenticate users by comparing encrypted values. For an additional layer of security, salt individual passwords. Hashed passwords can limit damage as hackers won’t be able to decrypt them.
Website security tools come in commercial and free options. They work like hackers, looking for and testing weaknesses to exploit ways to compromise your site. Start with a free tool to get an understanding of what they do and what you need them to do. Many allow upgrades to premium versions with an expansion of features. You can also self-test, manually attempting to compromise the website.
Giving users access to your servers by allowing the upload of files is a huge security risk. Even an innocent file can contain a script that provides access to your information. If you want to allow uploads, treat files with caution. Use extensions or mime types to verify if files are actually images as these are easily falsified. Do not allow direct access to uploaded files. Use a script to fetch files and deliver them to browsers. Possibly run your database on a different server so that outsiders cannot directly access your primary server or data. This will minimize the risk of website data being exposed. There are also some powerful modules that will check installations for common security flaws. Lastly, restrict physical access to your server.
Leakage of Information
Information leakage comes from leftovers in the software development cycle. If you’re not careful, leftover comments from the development process will make it easier for hackers to access software version numbers, server configuration, exploitation bugs and more. A penetration test of finished pages will help find many security threats.
Again, you should verify this, but the majority of CMSes have built-in security features to protect website from hackers. Still, when it comes to website security, knowledge is power. Knowing the most common ways that hackers compromise and exploit your newly built website, and how to combat them, will only make you a smarter site creator.