Ten Things Your Website Needs to Keep Hackers At Bay
There are plenty of unscrupulous individuals looking to compromise any web assets they can get their hands on. Here are 10 things you can do to keep your website secure from hackers who may steal confidential data or affect your website’s normal operation.
Keep your website up to date
Many websites are hacked due to outdated versions of software being used to run them. You can make your website more secure by downloading all the latest updates of your CMS (content management system), operating system patches, and by keeping your antivirus program up to date. Aim to update once a week or as soon as a new update is available for download.
Don’t use common passwords
Always use strong passwords and never use a common password for all your accounts. Use different passwords for your email, website admin panel, FTP servers, and any web services you use. This will ensure that if one of your passwords is compromised, all your other accounts are secure. If any password you use is listed in the most common passwords, you are highly vulnerable to being hacked. Remember to keep changing your passwords regularly.
Website file permissions should be locked
File permissions allow and deny operations to be performed on your files by any user. Every file can have three permissions associated with it: Read, write and execute. Read permission allows only viewing of the contents of the file, write allows modifying of the contents of the file and execute allows running of the file. Make sure you set appropriate permission for each file on your website.
Handle XSS (cross-site scripting)
Cross-site scripting is used to tamper with client-side scripts to execute commands in any way desired by a malicious user, which would run whenever it calls the page. This situation can be prevented by handling proper validations to check data before it is sent or submitted.
Keep backups secured
Creating backups for your website is highly important. However, never store your backups on the same web server as your website—it’s a huge security risk. The backups will contain unpatched versions and updates of your CMS as well as extensions. All of your backups need to be stored at an offsite location.
Use proper server-side validation
Validation should happen as soon as a visitor clicks a submit or login button. If any mandatory field is missing or a number is entered instead of text, an error message should be displayed without the data being sent to the server for validation. Server-side validation should happen when data needs to be sent to the database so that no malicious code is inserted into the database.
Use Secure Sockets Layer (SSL)
SSL is a communications protocol which provides security for web traffic, including confidentiality of data, message integrity, non-repudiation, and successful authentication. It uses cryptography and an authenticated digital certificate to perform these functions.
Display general error messages
Only limited information should be provided while showing an error message to the user. Always try to use a general message for failures like “Username and Password do not match”, so that the user doesn’t get to know if he or she entered the wrong username or password. This practice eliminates a brute force approach used by hackers for passing one mandatory field at a time.
Use parameterized SQL queries
SQL injection is an attack of non-valid inputs being passed for execution by a backend database by using SQL queries. For example, when a user tries to log in, a SQL query is used to check the authentication. With SQL Injection, it is possible to change the SQL query and grant access. You can eliminate this possibility by always using parameterized SQL queries.
Use website security tools
You should test your website using security tools, also referred to as penetration testing. Some free tools are available, such as Netsparker and OpenVAS. They provide detailed reports about vulnerabilities present in your website.