Hacking is a very real threat, even to those who don’t believe their site has any value to hackers. It is important to understand that websites are compromised literally all of the time, and the majority of security breaches are not to steal your data, or deface your website, but instead have the intention of using your server as an email relay for spam, or to setup a temporary web server in which to serve files that are illegal in nature.
The most common instances of hacking are performed by automated scripts that are written specifically to scour the Internet, attempting to exploit commonly known website security issues found in software.
Take a look at these top tips to ensure you are keeping yourself and your website safe while online.
#1. Keep Software Up to Date
This first tip may seem obvious to some, but the importance cannot be underestimated. It is critical to ensure all software is kept up to date in order to keep your site secure. This applies to both the server operating system as well as any software that may be running from within the website, including CMS and forum. Hackers are quick to attempt to abuse any security holes that may be found in software.
When using a managed hosting solution there is no need to worry so much about applying these important security updates, as the hosting provider will do this on your behalf.
When using third party software on your website it is important to make quick work of applying any security patches. Most vendors have a mailing list or RSS feed that clearly details any website security issues, and most make you aware of any issues immediately upon logging in.
#2. SQL Injection
SQL injection attacks are when the hacker a web form field or URL parameter in order to gain access, or to manipulate your database. When using standard Transact SQL it is easy for attackers to insert rogue code into your query that is used to change tables, obtain information and delete important data. This issue is easily avoided by always using parameterised queries, and most web languages come equipped with this feature and it is easily implemented.
#4. Error Messages
It is important to be careful about how much information you reveal from error messages, such as the language used when displaying a failed login message. Messaged should always be kept generic, and not provide details as to if part of the query was correct or not. Should an attacker attempt a brute force attack to get a username or password and the error message indicated which part of the query is incorrect it makes it easier for the attacker to determine which part is incorrect and gain entry off other attempts.
#5. Server Side Validation/ Form Validation
Validation is always best when done both on the server side as well as the browser side. The browser is able to catch simple failures such as empty mandatory fields, however these can be bypassed and it should be ensured that these validations are checked, as well as the deeper server side validations, as failure to do so can result in malicious or scripted code being inserted into the database, or experiencing undesirable results on your website.
It is no secret that complex passwords are wise, but not everyone heeds this advice. Using strong passwords is crucial in relation to your server and website admin areas, but it is equally as important to insist users follow good practice passwords in order to maintain the security of their accounts.
Password practices should be enforced that require a minimum of eight characters, and include at least one numerical digit as well as one uppercase letter to better protect their information.
Passwords always need to be stored as encrypted values, and it is preferable to use a one way hashing algorithm which means users are authenticated by comparing encrypted values. Salting passwords is a great way to provide passwords with extra security.
Using hashed passwords could potentially help to limit the damage occurred should an attack take place, as they are impossible to decrypt. When using salted passwords it makes it even more difficult for attackers to hack, slowing the process considerably and making it quite expensive to execute.
On a positive note, many CMSes provide out of the box user management solutions that has a lot of these security features built right in, with only minimal tweaking and adjusted required to have the ideal level of security.
#7. File Uploads
Allowing users the ability to upload files of any sort to your website is a huge security risk. Any file uploaded could potentially carry a script that opens your website up when executed. If file uploading is permitted it is critical to treat all files with great suspicion, and file extension or mime type is not a dependable means of identification as they can be easily faked. Most image formats have a space for a comments section which could contact dangerous PHP code.
The best way to prevent this is to restrict users from executing any file they upload. By default web servers will not attempt to execute files that contain image extensions, but checking the extension cannot be relied upon completely.
Options for working around this include changing the extension name while uploading to ensure correct file extension, or changing the file permissions. The most recommended solution is to prevent direct access to uploaded files altogether.This ensures any files uploaded to your website are stored in a folder outside of the webroot, or are stored in the database as a blob. This will require a script to fetch the folders and deliver them to the browser.
Majority of hosting providers handle server configuration for you, however if your website is hosted on your own server you will need to check a few things, such as:
- ensuring there is firewall setup that blocks all non essential ports. This may not be possible if there is no access to the server from an internal network, as ports would need to be opened to allow for things such as uploads and remote logins.
- if files are allowed to be uploaded from the internet, only use secured transport methods such as SFTP or SSH.
- if possible have your database on a different server than your web server. By doing so this means the database server cannot be directly accessed from the outside world, and only your web server can access it. This minimises the risk of data exposure.
- Never overlook restricting physical access to your server.
SSL is a commonly used security protocol used over the internet. It is recommended to use a security certificate whenever passing personal information between the website and web server or database. Attackers could be looking around for this information, and if the information is not kept secure it is likely they could capture it and use it to gain access to accounts and user data.
#9. Web Security Tools
Once you have put all the necessary measures in place it is important to test your website security. This can be done using website security tools, and is often referred to as penetration testing.
There are many products available, lots of them free, to assist with this task. They use method similar to that of script hackers and test for all known exploits, attempting to compromise the system the same way attackers would.
There are many highly recommended free tools to consider, including:
- Netsparker – free trial tool available and is good for testing SQL injection as well as SSL
- OpenVAS – claims to be the most advanced open source security scanner. Tests for over 25 000 known vulnerabilities. It should be noted this can be difficult to set up and requires an OpenVAS server to be installed.
Such automated tests can produce somewhat daunting results, as they present a slew of potential issues, but the important thing is to focus on the most critical issues first. Issues reported generally come with an explanation and you may find that some of the medium to low threats are not in fact issues for your website at all.
If you wish to take things one step farther you may wish to manually compromise your site by altering POST/GET values. A debugging proxy can provide assistance as it allows you to intercept the values of a HTTP request between the browser and server. You may be wondering what should be altered on a request, and the answer includes changing URL parameter or cookie values.
These types should prove quite beneficial in assisting you in keeping your site and information properly protected, and thankfully CMSes come equipped with a lot of built in website security features. However it is important to have some knowledge of the most common security exploits to ensure you are protected.
For more information on website security contact Globalquest at 716-601-3524 or send us an email directly to firstname.lastname@example.org.