Hacking is a very real threat and every website is a target. Websites are compromised more often than you think with the intention of stealing your data, bringing your site down or even to target your server as an email relay for spam. Cybercriminals can also exploit compromised machines and use your servers as part of a botnet to serve illegal files or to mine for Bitcoins. And if you are not willing to follow best practices to keep your site safe, be prepared to be hit by ransomware. Hackers generally use automated scripts written specifically to search the web in order to find and exploit commonly known website security flaws found in software. Since you have worked hard on building your website, you should also take the time to protect it by implementing some basic website security measures!
- Always Keep Platforms And Scripts Up To Date
It is of absolute importance to ensure that all software, any frameworks, CMS, third-party plugins, forums or libraries installed are always kept up to date in order to protect your website. Hackers are always on the lookout for any security holes or script weaknesses that may be found in your software to enable them to take control of your site. The code for software tools created as open-source software programs is easily available and can be abused by malicious hackers. But the developer community does work hard to discover bugs and security gaps in open source solutions so that they can be removed even faster. When using third party software on your website, always upgrade to the newer versions as soon as they are released, especially if they contain security patches. Most will have mailing list or RSS feed with details about current website security issues so that you are aware of them immediately upon logging in. There are automatic update plugins available for many CMS solutions. There is the easy update manager for WordPress or the SP Upgrade extension for Joomla, which can make it simpler to keep your systems up-to-date. But even these plugins and other add-ons must be periodically checked for updates.
- Beef up Your Passwords
Everyone is well aware of the importance of using complex passwords, but most of us do not follow through. Use strong, random passwords for your server and website admin area because they should never be easy to guess, and also focus on good password practices for your users to prevent their accounts from being hacked. You must enforce password requirements such as a minimum of around eight characters, including an uppercase letter, special character and number to protect your site in the long run. Passwords must be stored as encrypted values, using algorithms like SHA-2, so that only encrypted values are compared when authenticating users. For added website security you can also salt the passwords, to help limit damage in case of any unforeseen incident, like your passwords being stolen. When using salted passwords the process of decrypting them becomes slower as every guess has to be hashed separately for every salt + password, making it an expensive exercise for hackers. CMSs do provide user management out of the box, with website security features built in, although some configuration may be required to use salted passwords or to set the minimum password strength. You must also add limits to login attempts for certain times, including password resets that can easily be hacked.
- Use Command Parameters To Prevent SQL injection
SQL injection attacks are pervasive these days and have done real damage to businesses and organizations in the past year. SQL injections have targeted Mossack Fonseca, Epic Games forum, Arizona voter database and the U.S. government in just the last year. When an attacker accesses your database by inserting rogue code through a web form field or URL parameter, it is known as SQL injection attacks. Such staged attacks send malicious SQL commands to database servers through web requests like input channels, query strings, cookies or files. SQL injections can also insert new user accounts, delete existing user accounts, display restricted records and information, change the contents of records or even compromise the server’s operating system.
It is necessary to always check the code of every page for places where you combine page contents, commands, strings, and more with sources from users. Vetting the source code for vulnerabilities and security holes can help protect your site better. SQL attacks are easily preventable by always using parameterized queries because most web languages have this feature and it is easy to implement. Command parameters get defined by adding placeholder names in SQL commands, which can then be replaced by user input. With the SQL code being defined first and the input only added to the SQL query during execution, the contents of a parameter is not parsed as part of the query code. This way the database knows anything stored inside the parameters is just input and therefore it cannot be tricked into reading it as code. ASP.NET has easy-to-use set of APIs for this purpose that can automatically evaluate user input for malicious content whereas, in PHP, the process is a bit more involved using prepared statements. There are scanning tools available such as sqlmap to crawl your site’s pages to detect potential SQL injection vulnerabilities.
- Follow Principle of Least Privileges
Ensure that all your web application only have the minimum permissions possible in order to be able to perform the required tasks. Never use the “root” or “sa” accounts to connect your web application to your database server. When an administrative account gets compromised, it can potentially give hackers access to the entire database system. Even non-administrative accounts with access to all databases within a server can be equally damaging, particularly in such cases where the database server is shared among different applications and databases. It is best to use an account that only has simple read-write permissions to the specific database behind your website, so even if there is an SQL injection attack, the scope of damage remains limited within the single database.
You can also use separate connections for code segments that read from or write to your database, with limited permissions and roles for each segment. For example, list pages that extensively use search parameters but do not make changes to the database can be coded to use a read-only connection to the database to prevent any code abuse. It is possible to improve security in MySQL by limiting access to the user account to specific IP address ranges to prevent accounts being accessed and compromised from remote locations. If you are not going to be using the advanced features of SQL Server, do use the Windows Authentication model to set up and use a limited account instead of the high privilege “Local System” account, to help minimize damage in case of account compromise.
- Limit File Uploads
File uploads are a major security risk and allowing users the ability to upload files of any sort to your website can be damaging for your site. Any file uploaded can potentially carry a malicious script or bugs that sneaks into your system and opens your website up to hackers. It is absolutely vital to treat all files uploaded by users with great suspicion. Checking the file extension or mime type cannot be relied upon completely as a means of identification because they can easily be faked. Users should be prevented from getting direct access to uploaded files altogether and there should be restrictions regarding executing any files they upload. Even though by default, web servers will not attempt to execute large files that contain image extensions, it is possible to change the extension name while uploading to ensure correct file extension, or even change the file permissions. You must ensure all downloaded files are stored outside root directories or are stored in the database as a blob and scripts should be used to pull them up and deliver them to the browser when required.
Prepare For The Worst, Pick The Best
Are you aware that nearly 41% of websites are actually hacked because of security vulnerabilities in their hosting service? Your web host can be your biggest security weak spot. Therefore, to help protect your site, you must select the right host. Don’t be swayed by the cheapest rates, rather go with a reputable hosting service, having robust security features.
There are a number of different ways to protect a website but implementing some of these basic security measures right away and following a strong support and maintenance process can protect your site from cybercriminals. Toughen up your security and be very rigorous about your safety measures in order to keep your website safe from malicious hackers.
This is a guest blog written by Michelle Keyser, Director of Social Media and Content Marketing, at DirectiveGroup, a digital marketing agency, where she is a strategist and blog contributor. Contact them today for more information by calling 1.866.925.9524