One of the most common pitfalls when having a website is thinking that is doesn’t have anything worth being hacked. Unfortunately, the truth is that websites are compromised every single day and not always to steal data from them. Most of the time, website security breaches occur so that the hacker can use your server and either set up a temporary web server to allow them to send illegal files or to spam emails to unsuspected users. And then of course some hacking attempts are designed to steal sensitive information.
Here are some handy tips to help keep your website safe online. Some are on the “techy” side, others are pretty easy to implement, but all are very helpful and important.
Use Strong Passwords
You should not only use strong passwords not only to your website admin area and server, but also enforce your users to protect their accounts with equally strong passwords. Their passwords should have, at least, the minimum password requirements (i.e. over 8 characters, including a number and uppercase letter).
Don’t forget to store passwords as encrypted values. You can do that by using SHA (Secure Hash Algorithm), or another hashing algorithm. This will help limit the damage if someone tries to hack your website (it is not possible to decrypt hashed passwords).
Tip: For added website security, you may consider salting the passwords too. This will slow the hacker down (and make it much more costly for them) if they try to crack a large number of passwords.
Switch from HTTP to HTTPS
HTTPS (Hyper Text Transfer Protocol Secure) is the new protocol that provides security in the communication between the browser and the server. This helps keep every information/data communicated between users and your server, such as credit card details, private and safe. Not long ago, enabling HTTPS was expensive and tricky, but today implementing HTTPS is much simpler. Besides, if you don’t make that transition, it very well may hurt your Google rankings and traffic.
Keep All Software Up to Date
We may be stating the obvious here, but you’ll be surprised to know that many website owners don’t have this as their priority. However, making sure you keep the server’s operating system and any other software you may be running on your website (i.e. a CMS) updated will play a crucial role in keeping the website secure. Hackers are always on the lookout for holes in website software security. If they find one, they will manage to abuse it within a remarkably short time.
Now, if you are using a managed hosting solution, the hosting company will ensure that security updates for the operating system are applied. For 3rd party software, you will most likely be informed about an available system update from your Content Management System or CMS (i.e. WordPress).
You may also consider tools like Gemnasium that send automatic notifications if one of your website’s components become vulnerable and needs to be updated.
Browser & Server Validation
It is important to do server both server side and form validation. There are some simple failures, such as when you enter text in a field that only accepts numbers or mandatory fields that have no content, that the browser can catch. If you don’t check for these validation, a hacker will be able to successfully insert a scripting code or malicious code into the database. Such attempts can also affect the way your website runs overall.
Pay Attention to Your Error Messages
The amount of information provided in your error messages can put your website’s security at risk. For example, your error messages may provide full exception details. Or even leak your database passwords or API keys (all that data is kept on your server). If you allow this to happen, instead of showing users only the absolutely necessary information, you actually make an attacker’s job significantly easier (i.e. SQL injection attacks are made much less complicated).
Use Parameterized Queries
When an attacker wants to gain access to your database or even manipulate it, they use a URL parameter or web form field. This is called an SQL injection attack. You are vulnerable to such attacks if you use standard Transact SQL because it makes it easy for the hacker to add rogue code into your query. When they do this, they can delete data, get information, and change tables; none of this is good for your website and online reputation. Using easy-to-implement, parameterized queries (a feature the majority of web languages have) will help prevent it.
Website Security Tools to Consider
There are many free and commercial products to help keep your website secure, such as:
- Netsparker – It is good for testing Cross-Site Scripting (XXS) and SQL injection. Available in trial version and free community edition.
- Xenotin XSS Exploit Framework – You will find a long and detailed list of XSS attack examples that you can run, and check out if your website’s inputs are at risk (Firefox, Chrome and Internet Explorer).
- OpenVAS – This one is an open source security scanner that scans more than 25,000 known vulnerabilities. Although it is a great tool, note that you will need to install an OpenVAS server to set it up. Better consult your website developer about how to can do this.
If any of these tools present potential issues (you will receive a detailed explanation of the possible vulnerability), try to focus on the most important ones. Some low issues will probably not need your attention as they will not pose a threat to your website’s security.
- Try to restrict physical access to your server.
- Treat all files users upload to your website with great suspicion. You may use secure transport methods (i.e. SSH) to your server or even set up a Demilitarized Zone that allows access only to port 443 and 80 from users.
The good news is that most CMEs come loaded with website security features you could use to keep your website and any information that sits on your server safe. However, it won’t hurt to know some of the most types of common security breaches and what you can do to prevent them!