"This is a temporary server error. Please try to reload the webpage later."
It can be the sound of the death toll: a server error blocking all visitors from accessing your website; business ground to a halt, no suggestion of when you’ll be back online.
While most believe they are safe from a hack, the simple truth is, “if you own a website, you must be wary of the threat.” Hackers rarely seek anything of obvious value. Instead, they take over servers to send spam, share illegal files or use your resources as part of their botnet.
In the worst cases, the perpetrator uses ransomware to demand money, or steal data – so, whether you own a humble blog or run an enterprise-level software company, it’s vital you follow these seven steps to protect yourself against common security flaws.
#1 – Always Update Your Software
It’s the typical routine: a software update appears, you’re busy, you click ‘remind me later,’ the cycle repeats. But up-to-date software is the critical first step in keeping your site secure. Even reputable companies frequently identify security flaws in their operating systems, releasing a fix via an update but leaving it to you to download.
So please, download.
If you run 3rd-party software, such as a commenting or forums, always apply security patches immediately. Keep an eye on vendor communications and live feeds, which will update you of current risks and when you see the alert, put the kettle on and click ‘install now.’
Managed host solutions should apply security updates automatically, but it’s diligent to double-check.
#2 – Beware Error Messages
When an error does occur, never expose more information to customers than you need to, keeping specifics to a minimum. Customers only need to know they can’t access your site, they do not need the exception details or any database-related info.
You’d be amazed at how many sites show sensitive data in error messages such as API keys; however, this significantly increases the risk of say: an SQL injection attack…
#3 –Be Wary of the SQL Injection!
An SQL injection happens via web forms or URL parameters where a hacker manages to gain access to your database. If you’re not careful, you can inadvertently add code to your site which the hacker can use to change tables, steal information, even alter your data.
One way to prevent such an attack is to use parameterized queries; a common feature among most web languages.
#4 – Then, Watch for XSS Attacks
To prevent this: use validation on every page and prevent users from submitting JS into any page. And you must validate on both the browser and server side to ensure no-one bypasses your surface-level checks. There are also specific tools like the Content Security Policy (CSP) to protect against XSS attacks.
- Ignoring scripts not hosted on your domain
- Ignoring inline JS
- Disabling eval()
So, even if an attacker manages to insert malicious code, it shouldn’t work if your CSP is appropriately configured.
#5 – Use Strong Passwords
Another simple strategy, but too-often ignored. Not only should you choose a complex password for your site and admin areas, you must insist users do the same; implementing the necessary checks to enforce the policy.
Yes, the call for imagination might cause short-term frustration, but it guarantees long-term security.
The minimum-security password standard reads something like:
- At least 8 characters
- One uppercase
- One number
- One symbol
It’s also critical to store passwords as encrypted values; to use a one-way hashing algorithm, and to salt passwords with a new salt for each new password. Then, if anyone does gain access to your system, at least stolen passwords remain encrypted; customer accounts secure!
#6 – Implement HTTPS
HTTPS is the internet-wide protocol guaranteeing site security: it tells users they are interacting with the server they think, and it stops would-be attackers from stealing or altering on-site content.
Any site dealing in sensitive data must use HTTPS: Payment information, login details, personal data – this must all past through a secure layer to stop hackers stealing the info, then either taking control of an account or defrauding your customers.
HTTPS is not expensive to implement. Let’s Encrypt is a ‘free, automated and open certificate authority’ letting you quickly enable HTTPS and they have a suite of tools covering the most common platforms. Moreover, Google Search now boosts sites that focus on security as detailed in our piece on SSL.
Consider yourself warned: Fail to follow the standard, tumble down the search rankings.
#7 – No File Uploads
Arguably the hardest rule to follow, but file uploads present a significant security vulnerability. Who knows what script people will try to inject via a file executed on your server? If you must have uploads, follow one rule…
Every file is guilty until proven innocent.
Even images might not be images, so don’t rely on file extensions to identify file-types and don’t let users execute any file they upload. Preferably, prevent all direct access to uploaded files; or store files in a folder outside of the web root. If you allow internet-uploaded files, use SFTP or SSH for additional security.
Better yet, if you can run your database on a separate server to your web server, you minimize exposure to the wider world, on which note: restrict physical access.
Hacks can also occur in-person, not just online.
Now, Put Your Site to the Penetration Test
No matter how secure you believe your website to be, you have to test it.
Penetration testing uses a collection of web security tools to scour your site for weakness. They replicate the script-style attacks of hackers checking all exploitable flaws and trialing the methods we’ve covered above.
For free tools, start with the below:
- Netsparker – checks XSS and SQL injections;
- Xenotix XSS Exploit Framework – tests a wider range of XSS attacks across browsers.
- io – validates the configuration of tools such as CSP.
While the tests may surface lots of issues, only focus on the most critical: each warning will have an associated severity with medium-low priorities important, but less of a concern.
Now, it’s time to get testing – let’s keep your livelihood secure!