Website Security: How To Protect Your Singapore Website

website security singapore

You might not believe that your website has anything that could cause it to get hacked, but sites are always compromised. The most of site security breaches that happen do not target altering the website layout or stealing data, but they instead try to utilise your server to broadcast spam emails, or to create a temporary internet server, usually to operate files that are illegal. Other conventional methods of abusing compromised websites include mining for bitcoins or using your server as a botnet portion. Your site could even get attacked by ransomware.

Hacking is often done using automated scripts created to search the web for websites with a particular software security issue. Below are some tips that can assist to maintain you and your website secure online.

  1. Use HTTPS

This is a protocol that offers security through the internet. HTTPS ensures that consumers communicate only to the intended server, and no one else can change the content or intercept the content they are looking at on the way.

If your website has anything that the consumers might want confidential, it is recommended that you only use HTTPS to convey it. That includes login and credit card pages, and your website in general. For instance, a login page will always set cookies. These cookies are always sent to your website whenever a logged-in user requests to authenticate the requests. An intruder may get this information and entirely imitate the user to take up their login period. To prevent such attacks, you will require to use HTTPS protocol for your whole website.

Also, Google boosts your search engine rankings when you use HTTPS, offering you SEO advantages too. Now it is time to upgrade because the use of the vulnerable HTTP protocol is soon coming to an end.

  1. Avoid User Uploaded-Files

Giving users the ability to upload files on your site is a considerable security risk, even if it is to modify their profile. The threat is that the uploaded files, regardless of how innocent they seem, could comprise a text that when your server executes it, it completely uncovers your site.

If your website has a form for uploading files, you need to handle all the data with suspiciousness. If you allow the users to upload pictures, you cannot depend on the type of mime or the file extension to verify that it is an image file because they can be easily faked. Also, utilising functions to determine the size of the image or opening the file and looking at the header is still not dependable. Most formats of images allow for comments that would contain PHP codes that can be effected by your server.

So, what do you do to protect that? Some options include renaming the uploaded files to make sure they have the right file extension or changing the permissions of the files so that the server cannot execute it. If utilising *nix, you can make a .htaccess file that restricts access to only the set files, which prevents attacks from double extensions as mentioned above.

Eventually, the best solution is preventing the server from accessing uploaded files directly. That way, any uploaded files in your website will be stored in your database as a collection or in a folder outside your webroot. If you cannot access the files directly, you will require to make a script to retrieve the files from the external folder and present them to the browsers. Most web hosting in Singapore agencies undertake the server configuration tasks for you, but if you own a server that hosts your website, you will need to check for a few things.

Make sure that you have set up a firewall that blocks all the ports that are non-essential. Where possible, set up a DMZ that allows access to port 443 and 80 from the external world. However, this may not be achievable if you cannot access the server from an in-house network because you will require to open up the ports to allow file uploads and login to your server remotely through RDP or SSH.

If your site allows file uploads over the internet, use only secure transport means to the server like SSH or SFTP.

If you can, ensure that your database and website are hosted on different servers. By doing so, you secure your database from direct access from the external world. It can only be accessed by your web server, reducing the risk of your information getting exposed.

Also, do not forget to restrict physical entrance to the server.

  1. Inspect Your Passwords

Everybody understands that they should utilise strong passwords, but it does not mean that it is what they do. It is essential to use complex passwords to your website admin section and server. It is also crucial to insist on strong password practices for the users to safeguard their accounts’ security.

Although the users might not want that, enforcing requirements for passwords like including characters and uppercase letters, and the minimum number of characters helps guard their information in the end.

You should always ensure that you store your passwords as encrypted treasures using a single-way algorithm for hashing like SHA. For additional site security, it is advisable to salt your passwords – giving each password a different salt. If someone tries to steal or hack your passwords, hashed passwords prevent it since it is not possible to decrypt them. The only options they can use are brute force attack or dictionary attack. These involve guessing all the combinations until they get a match.

Gratefully, most content management systems offer loads of these site security features installed, although you may need some additional modules or configuration to set the minimum password requirements or utilise salted passwords. If you use .NET platforms, it is advisable to use the membership plans because they are very straightforward to configure. They also come with inbuilt site security features and password reset and login controls.

  1. Authenticate on Both Sections

Make sure that you validate both the server and the browser sides. Browsers can mark simple flaws like compulsory empty fields and when text is entered in the numbers-only field. These can get easily avoided, and it’s up to you to ensure that you look for that validation – the same applies to the server side, as failure to do that might cause to scripting or malicious codes getting inserted in your database that can lead to unfavourable consequences in your site.

  1. Watch Out Error Message

Be cautious of the information you disclose in the error messages. Give away as minimum errors as possible to the users to make sure they don’t uncover your server’s secrets like database passwords and API keys. Also, don’t give all your exception information, as it makes complicated attacks such as SQL injection more straightforward. Store detailed errors in the server logs and give users only the details they require.

  1. Defend Against XSS Attacks

XSS attacks introduce malicious JavaScript in your pages. That, in turn, runs in the users’ browsers, and it can change the content on the pages or take information to return to the invader. For instance, if you allow users to add unvalidated comments on your pages, an attacker can submit a comment containing JavaScript and script tags. These could even run in the browsers of all the users who see their comments and take their cookie for logging in, allowing them to take over the account of those users. You have to ensure that the users will not insert active malicious scripts into your website.

In modern web apps, that is a significant concern because there are apps that are primarily based on user-generated content that generate HTML in most many instances. The HTML gets interpreted by front-end platforms like Ember and Angular in Singapore. These platforms offer various XSS protections, but connecting client and server rendering causes more complex and new attack vulnerabilities. That allows attackers to insert JavaScript or content that runs codes using Ember helpers or adding Angular directives.

The most important thing here is to concentrate on how the content generated by users might bypass the limits you intended and get interpreted by the browser as something else rather than what you wanted. It is the same as protecting against injection of SQL. When generating HTML forcefully, utilise the functions that target the specific changes that you need.

Content Security Policy is a powerful tool for defending against XSS attacks. A Content Security Policy is a header in your server that instructs the browser to regulate what and how JavaScript gets executed in your site, for instance disallowing inline JavaScript and any other scripts that are not hosted on your domain.

  1. Beware of SQL Attacks

SQL attacks involve attackers use URL elements or the form fields on your site manipulate or access your database. When using a basic Transact SQL, it is simple to insert a malicious code that could be used to delete data, gather information, or change tables. This can be prevented by utilising parameterised queries. This feature is available in most coding languages, and it is easy to use.

  1. Keep Your Software Updated

It may sound obvious, but ensuring that your software is updated is crucial in providing the security of your website. It applies to both the operating system of your server and the active software on your site, like forum and CMS. When there are security flaws on your site, hackers are fast in trying to misuse them.

If you have contracted a Singapore web hosting agency to host your website, there is no need of worrying too much about updating your site security details as the company takes care of that. If you have extra software on the website, ensure that you apply security updates quickly. Most companies offer RSS feeds or mailing lists that give you any security issues on your website. Other platforms like Umbraco and WordPress send you notifications of an available update whenever you log in.

You can also use online tools like Gemnasium to send you automated notifications whenever your website becomes vulnerable to attacks.

  1. Use Site Security Tools

Once you feel that you have finished everything, it is now time to test the security of your website. The best way of accomplishing this is by using website security tools, commonly known as pen testing or penetration testing.

get google ranking ad

Here are some of the tools that you can consider using for free in Singapore:

  • Xenotic XSS Exploit Framework: It is a tool developed by OWASP, and it has a massive amount of XSS injection examples that you can run quickly to test whether the upload on your website is vulnerable in IE, Firefox, and Chrome. The automated test results can be scary because they present a large number of potential threats. The critical thing is to concentrate on the pressing issues first. Each reported problem usually comes with a decent explanation of the possible risks.
  • It is a tool that offers a free online security check to your website for security headers that has been correctly configured and enabled in your domain.
  • OpenVAS: This is among the most advanced open source scanner for potential security threats in your site. It is excellent in testing for known risks, and it currently scans over 25,000 vulnerabilities. However, it can be hard to install since it requires the installation of an OpenVAS server which only works on *nix.
  • Netsparker: It is suitable for examining XSS and SQL injection.

There are some additional steps that you can use to compromise your website manually by changing the values of the POST/GET elements. A proxy for debugging can help you with this as it enables you to obstruct the HTTP request values between the server and the browser. An example of a free tool that can assist you with this is Fiddler.


get google ranking ad

Site security is among the things that take time and money to achieve but can be beneficial if you get involved in a cyber attack. However, you cannot be 100% guaranteed against attacks. This guide will assist you to secure your site, but if a hacker gets access to your site and has the resources and expertise to attack you, it might still be possible. We hope that the article was helpful to you.

get google ranking ad

Author Bio

Tom Koh is widely recognised as a leading SEO consultant in Asia who has worked to transform the online visibility of the leading organisations such as SingTel, Capitaland, Maybank, P&G, WWF, etc. Recently he was instrumental in consulting for a New York-based US$30B fund in an US$4Bn acquisition. Tom is a Computational Science graduate of the National University of Singapore. In his free time he performs pro-bono community work and traveling.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get FREE Website & Digital Marketing Quote Today!

    Go top