According to Creative Bloq, here are five website security protection tips to help you avoid the damage and destruction caused by hackers on a daily basis.
You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website. They are usually attempting to use your server as an email relay for spam or to set up a temporary web server. Other common ways of abuse include using your servers as part of a botnet or to mine for Bitcoins. You could even be hit by ransomware.
Hacking is regularly performed by automated scripts. They are written to scour the Internet in an attempt to exploit known website security protection issues in software. Here are the top 5 issues you can avoid to help keep you and your website safe.
Software not kept up-to-date
It may seem obvious, but ensuring you keep all software up-to-date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your websites such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them. Trust Guard is the leader of several companies that offer scanning and monitoring services to let you know, among other things, when an old version of the software can be replaced by a newer one.
Many developers use tools like Composer, NPM, or RubyGems to manage their software dependencies, and security vulnerabilities appearing in a package you depend but aren’t paying any attention to on is one of the easiest ways to get caught out.
Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts. As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter, symbol and number will help to protect their information in the long run.
Passwords should always be stored as encrypted values, preferably using a one-way hashing algorithm such as SHA. Using this method means when you are authenticating users you are only ever comparing encrypted values. In the event of someone hacking in and stealing your passwords, using hashed passwords could help damage limitation, as decrypting them is not possible. The best someone can do is a dictionary attack or brute force attack, essentially guessing every combination until it finds a match. When using salted passwords the process of cracking a large number of passwords is even slower as every guess has to be hashed separately for every salt + password which is computationally very expensive.
Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded, however innocent it may look, could contain a bad script. When executed on your server, it could completely open up your website.
If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not full proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.
So what can you do to prevent this? Ultimately you want to stop users from being able to execute any file they upload. By default, web servers won’t attempt to execute files with image extensions, but it isn’t recommended to rely solely on checking the file extension as a file with the name image.jpg.php has been known to get through.
Some options are to rename the file on upload to ensure the correct file extension, or to change the file permissions, for example, chmod 0666 so it can’t be executed. Most hosting providers deal with the server configuration for you, but if you are hosting your website on your own server then there are few things you will want to check. Ensure you have a firewall setup and are blocking all non-essential ports.
HTTPS is a protocol used to provide security over the Internet. It guarantees users that they’re talking to the server they expect and that nobody else can intercept or change the content they’re seeing in transit. If you have anything that your users might want private, it’s highly advisable to use only HTTPS to deliver it. That, of course, means credit card and login pages (and the URLs they submit to) but typically far more of your site too. A login form will often set a cookie for example, which is sent with every other request to your site that a logged in user makes, and is used to authenticate those requests. An attacker stealing this would be able to perfectly imitate a user and take over their login session. To defeat these kinds of attacks, you almost always want to use HTTPS for your entire site.
That’s no longer as tricky or expensive as it once was though. Let’s Encrypt provides totally free and automated certificates, which you’ll need to enable HTTPS, and there are existing community tools available for a wide range of common platforms and frameworks to automatically set this up for you.
Now you know the top five website security protection issues and tips on how to prevent hackers from accessing your website. Trust Guard can scan your site for more than 75,500 vulnerabilities to see if you’ve already made any of the above mistakes and tell you what you can do to remedy the situation before it’s too late.
Special thanks to Creative Bloq for their article on this topic.