You might not believe that your website has anything that could cause it to get hacked, but sites are always compromised. The most of site security breaches that happen do not target altering the website layout or stealing data, but they instead try to utilise your server to broadcast spam emails, or to create a temporary internet server, usually to operate files that are illegal. Other conventional methods of abusing compromised websites include mining for bitcoins or using your server as a botnet portion. Your site could even get attacked by ransomware.
Hacking is often done using automated scripts created to search the web for websites with a particular software security issue. Below are some tips that can assist to maintain you and your website secure online.
This is a protocol that offers security through the internet. HTTPS ensures that consumers communicate only to the intended server, and no one else can change the content or intercept the content they are looking at on the way.
If your website has anything that the consumers might want confidential, it is recommended that you only use HTTPS to convey it. That includes login and credit card pages, and your website in general. For instance, a login page will always set cookies. These cookies are always sent to your website whenever a logged-in user requests to authenticate the requests. An intruder may get this information and entirely imitate the user to take up their login period. To prevent such attacks, you will require to use HTTPS protocol for your whole website.
Also, Google boosts your search engine rankings when you use HTTPS, offering you SEO advantages too. Now it is time to upgrade because the use of the vulnerable HTTP protocol is soon coming to an end.
Avoid User Uploaded-Files
Giving users the ability to upload files on your site is a considerable security risk, even if it is to modify their profile. The threat is that the uploaded files, regardless of how innocent they seem, could comprise a text that when your server executes it, it completely uncovers your site.
If your website has a form for uploading files, you need to handle all the data with suspiciousness. If you allow the users to upload pictures, you cannot depend on the type of mime or the file extension to verify that it is an image file because they can be easily faked. Also, utilising functions to determine the size of the image or opening the file and looking at the header is still not dependable. Most formats of images allow for comments that would contain PHP codes that can be effected by your server.
So, what do you do to protect that? Some options include renaming the uploaded files to make sure they have the right file extension or changing the permissions of the files so that the server cannot execute it. If utilising *nix, you can make a .htaccess file that restricts access to only the set files, which prevents attacks from double extensions as mentioned above.
Eventually, the best solution is preventing the server from accessing uploaded files directly. That way, any uploaded files in your website will be stored in your database as a collection or in a folder outside your webroot. If you cannot access the files directly, you will require to make a script to retrieve the files from the external folder and present them to the browsers. Most web hosting in Singapore agencies undertake the server configuration tasks for you, but if you own a server that hosts your website, you will need to check for a few things.
Make sure that you have set up a firewall that blocks all the ports that are non-essential. Where possible, set up a DMZ that allows access to port 443 and 80 from the external world. However, this may not be achievable if you cannot access the server from an in-house network because you will require to open up the ports to allow file uploads and login to your server remotely through RDP or SSH.
If your site allows file uploads over the internet, use only secure transport means to the server like SSH or SFTP.
If you can, ensure that your database and website are hosted on different servers. By doing so, you secure your database from direct access from the external world. It can only be accessed by your web server, reducing the risk of your information getting exposed.
Also, do not forget to restrict physical entrance to the server.
Inspect Your Passwords
Everybody understands that they should utilise strong passwords, but it does not mean that it is what they do. It is essential to use complex passwords to your website admin section and server. It is also crucial to insist on strong password practices for the users to safeguard their accounts’ security.
Although the users might not want that, enforcing requirements for passwords like including characters and uppercase letters, and the minimum number of characters helps guard their information in the end.
You should always ensure that you store your passwords as encrypted treasures using a single-way algorithm for hashing like SHA. For additional site security, it is advisable to salt your passwords – giving each password a different salt. If someone tries to steal or hack your passwords, hashed passwords prevent it since it is not possible to decrypt them. The only options they can use are brute force attack or dictionary attack. These involve guessing all the combinations until they get a match.
Gratefully, most content management systems offer loads of these site security features installed, although you may need some additional modules or configuration to set the minimum password requirements or utilise salted passwords. If you use .NET platforms, it is advisable to use the membership plans because they are very straightforward to configure. They also come with inbuilt site security features and password reset and login controls.
Authenticate on Both Sections
Make sure that you validate both the server and the browser sides. Browsers can mark simple flaws like compulsory empty fields and when text is entered in the numbers-only field. These can get easily avoided, and it’s up to you to ensure that you look for that validation – the same applies to the server side, as failure to do that might cause to scripting or malicious codes getting inserted in your database that can lead to unfavourable consequences in your site.
Watch Out Error Message
Be cautious of the information you disclose in the error messages. Give away as minimum errors as possible to the users to make sure they don’t uncover your server’s secrets like database passwords and API keys. Also, don’t give all your exception information, as it makes complicated attacks such as SQL injection more straightforward. Store detailed errors in the server logs and give users only the details they require.
Defend Against XSS Attacks
The most important thing here is to concentrate on how the content generated by users might bypass the limits you intended and get interpreted by the browser as something else rather than what you wanted. It is the same as protecting against injection of SQL. When generating HTML forcefully, utilise the functions that target the specific changes that you need.
Beware of SQL Attacks
SQL attacks involve attackers use URL elements or the form fields on your site manipulate or access your database. When using a basic Transact SQL, it is simple to insert a malicious code that could be used to delete data, gather information, or change tables. This can be prevented by utilising parameterised queries. This feature is available in most coding languages, and it is easy to use.
Keep Your Software Updated
It may sound obvious, but ensuring that your software is updated is crucial in providing the security of your website. It applies to both the operating system of your server and the active software on your site, like forum and CMS. When there are security flaws on your site, hackers are fast in trying to misuse them.
If you have contracted a Singapore web hosting agency to host your website, there is no need of worrying too much about updating your site security details as the company takes care of that. If you have extra software on the website, ensure that you apply security updates quickly. Most companies offer RSS feeds or mailing lists that give you any security issues on your website. Other platforms like Umbraco and WordPress send you notifications of an available update whenever you log in.
You can also use online tools like Gemnasium to send you automated notifications whenever your website becomes vulnerable to attacks.
Use Site Security Tools
Once you feel that you have finished everything, it is now time to test the security of your website. The best way of accomplishing this is by using website security tools, commonly known as pen testing or penetration testing.
Here are some of the tools that you can consider using for free in Singapore:
- Xenotic XSS Exploit Framework: It is a tool developed by OWASP, and it has a massive amount of XSS injection examples that you can run quickly to test whether the upload on your website is vulnerable in IE, Firefox, and Chrome. The automated test results can be scary because they present a large number of potential threats. The critical thing is to concentrate on the pressing issues first. Each reported problem usually comes with a decent explanation of the possible risks.
- SecurityHeades.io: It is a tool that offers a free online security check to your website for security headers that has been correctly configured and enabled in your domain.
- OpenVAS: This is among the most advanced open source scanner for potential security threats in your site. It is excellent in testing for known risks, and it currently scans over 25,000 vulnerabilities. However, it can be hard to install since it requires the installation of an OpenVAS server which only works on *nix.
- Netsparker: It is suitable for examining XSS and SQL injection.
There are some additional steps that you can use to compromise your website manually by changing the values of the POST/GET elements. A proxy for debugging can help you with this as it enables you to obstruct the HTTP request values between the server and the browser. An example of a free tool that can assist you with this is Fiddler.
Site security is among the things that take time and money to achieve but can be beneficial if you get involved in a cyber attack. However, you cannot be 100% guaranteed against attacks. This guide will assist you to secure your site, but if a hacker gets access to your site and has the resources and expertise to attack you, it might still be possible. We hope that the article was helpful to you.