Even if you are running, a small website that you think will be of little interest to hackers, there is never any reason why you shouldn’t be taking the security of it seriously. Hackers use automated scripts to find holes and will exploit any vulnerability they can find on any website. Perhaps best known for defacing websites and stealing data, hackers more often than not are after your website or web hosting server for another purpose – to relay their spam emails or to host fake websites to steal data from unsuspecting end-users.
We’ve put together some tips that we think will contribute to a secure website and that you should follow so that you can be confident your website is protected.
1) Updating software regularly
Every now and then even the most popular and well-developed applications can be released with undiscovered security holes that could leave websites open to attack. However, it is also these applications that see the fastest security updates to make sure that these holes are patched as soon as possible and the potential for attack is neutralised. If you do happen to be using a particular version of an item of software on your website that has proven to be vulnerable then it is imperative that you update as soon as possible so that you don’t come under attack; updating on a regular basis also has the added advantage of providing access to the latest and best features.
2) Improved SQL queries
If an SQL query is being populated using data from a submitted form of a URL variable, then it has the potential to be used for the purpose of an SQL injection. An SQL injection attack could be used for a number of purposes as rogue statements can take all forms; a ‘SELECT’ statement could be used to reveal the contents of your customers table, an ‘UPDATE’ query could be used to update the admin password for more in-depth access, or a ‘DELETE’ query could wipe your tables completely. An SQL injection attack can be prevented with most scripting languages by using paramaterised queries instead.
3) Strip out HTML from submitted forms
4) Don’t give away too much in your error messages
Although many people see error messages as a way of letting users know why they can’t do something, such as login, hackers can use the information provided by an error message to perform a more calculated attack on a website. If a malicious attacker was to perform a brute force attack on a login page for example, then mentioning common error messages such as “incorrect username” and “incorrect password” individually will let the attacker know that they’ve got half of the username/password combination right, whereas a message such as “incorrect username or password” when one may be right and the other may be wrong won’t give them any extra and potentially helpful information.
5) Validate form input
The input of any forms should be checked on both the server and client side. Web browsers can be used to pick up on simple mistakes like missing out a mandatory field or entering words in a field where only numbers are required. For a deeper analysis of the contents of a form, implementing server-side validation can detect potentially malicious attacks such as where an attacker has attempted to enter code to exploit a vulnerability.
6) Secure passwords
Nowadays it is now common sense to use secure passwords that use a combination of numbers, characters, and letters rather than just letters on their own. Brute force and dictionary attacks have proven to have a high success rate on cracking accounts where users have used simple and ineffective passwords including the word “password” itself; the only way to circumvent having your account details exposed because of a weak password by choosing something that isn’t in the dictionary. Web developers should include password strength indicators on their registration forms so that users have an idea as to just how strong their password is; including a random password generator is another recommended move and can be beneficial for users who aren’t really sure of how to compose their password.
7) Take a closer look at file uploads
No matter how you look at it, allowing your visitors to upload files to your website can post a massive security risk. There is always the off chance that a file could contain malicious code that can be executed on the server, regardless of the file extension being used. Because of this, all files need to be treated with equal suspicion.
The best solution for this is to prevent direct access to all uploaded files. Storing files in a directory outside of the actual web root or as a blob in a database means that there is no direct way of accessing them or executing them. You’re probably wondering how you can still serve them to your visitors though, but this can be pretty simple; just put together a script that will be able to fetch them from the database or private folder and then render them to your pages or in the browser by providing the appropriate content type.
8) Install an SSL certificate
An SSL certificate is a relatively cheap and simple way of giving your website a massive security boost. Ordinarily web traffic is unencrypted and web pages are sent as clear text across the Internet from the server to the visitor’s machine, where their web browser will then take the plain text HTML and render it as the intended design. However, this traffic is very unsecure and is open snooping; if a hacker were to eavesdrop on the connection they could easily see the pages that a target has been visiting and any submitted form information, which is the biggest issue since forms are often use for the input of personal information.
By installing an SSL certificate for your website, you will be removing this vulnerability by encrypting all traffic transferred between your website and your visitors’ computers. Any hacker who attempts to eavesdrop on an encrypted connection will only see garbled text that will be of no use to them, making SSL a vital investment for any website, and is pretty much mandatory for any website handling personal information.
There are several different options for purchasing an SSL certificate depending on how many domains you’d like to protect and the value of the warranty provided.