Small businesses to massive corporations all have an enemy in common, hackers! There are many motives for the modern day hacker. The obvious motive is to steal sensitive information like passwords, credit cards and personal identities.
Other well know reasons hackers gain access to your website is to do malicious damage to your reputation. Cyber criminals that get a hold of your web files can deface your web pages or even hold your entire website hostage and demand a ransom for its freedom.
The number one reason hackers attack is not to steal your sensitive data or to hijack your website. Most websites attacks are done with the intent of using your server as an email relay for spam, to insert hidden links or used to serve malicious files.
If you think the common hacker is just some guy sitting in his mom’s basement trying to wreak havoc, you have another thing coming. Hacking has become very sophisticated and, in most cases, is an automated process using programming scripts to search the Internet looking for security weaknesses in websites.
Here are 10 tips every website owner should know to help keep their website safe and secure.
1. Update software: Not only is updating crucial to keeping your online system running correctly with the latest technology, but it is also imperative that you do this to plug up the security holes that hackers are looking for in your software. Both the operating system on your server and any software you use on your website need to be updated regularly.
Content management systems used to build websites like WordPress, Drupal and Joomla are being updated constantly. These platform providers are working non-stop on keeping their systems safe and secure and will often alert webmasters when an update is available. WordPress, for example, will alert you at the top of your dashboard that an update is available. All you need to do is click the update and WordPress will take care of the rest.
The same goes for any third-party plugins that you use on your website. Make sure you have a maintenance routine in place to check for updates. Just like WordPress itself, alerts are given whenever you log into your dashboard. There is also a WordPress plugin called WP Updates Notifier that you can install that can alert the administrator any time there is an update available for a plugin, theme or an updated for WordPress itself.
2. Passwords: If your username is Admin and your password is 1234 then don’t be surprised when a hacker takes over your website. It’s like leaving your front door unlocked while you go on vacation.As a matter of fact if your password matches any of the 25 most common passwords from the past 5 years, it isn’t if you’ll get hacked, it’s a matter of when. Make sure you use strong passwords to protect all of your logins to protect against brute force and dictionary attacks.
You need to make your passwords as difficult to guess as possible. Use a mixture of upper and lower case letters, numbers and special characters like an exclamation point (!) or dollar sign ($). A common technique is to use numbers and symbols to represent letters in a word so it is easy for you to remember, but tougher to guess. An “E” is often replaced with a 3, “O” is replaced with a zero, “A” is replaced with @. For example, “FreePassword” could be spelled Fr33P@ssw0rd. Get the idea?
You also need to change your passwords frequently and keep them stored in an encrypted form in your database. Your customers should also be required to create secure passwords. Require user accounts to be protected by a password at least 12 characters long and use a mixture of upper and lower case letters, numbers and special characters like described above.
3. Error messages: Simply put, do not give up too much information to the hacker. When someone fails to log in using a username and password, do not tell them which one is wrong. Simply give them an error message that says “the username and password are incorrect”. If you just tell them the password is incorrect then they know the username is good and they will concentrate on breaking the password and vice-verse.
4. Toughen up access control / Two-factor authentication: If you have ever tried to log into your bank’s website, then you have probably encountered both of these techniques. One way to toughen up access control is to limit the number of login attempts. If someone gets the username and password wrong more than 3 times, block the access for a given period or require customer service to unblock it.Another technique that websites are using to protect consumer accounts is two-factor authentication. An example of two-factor authentication is where a text message with a code is sent to the phone of the person trying to log in. They then need to enter this secret code to gain access to the account. It might seem like a cloak and dagger technique, but keeping hackers out is serious business!
5. SQL Injections / XSS: Web forms, like on a contact page or sign up form, are also vulnerable to attacks. So are your URLs if manipulated in a browser. Hackers can enter code into the form fields and URLs that can cause major havoc.SQL injections are when a hacker uses database queries to try to manipulate table data in your database. They can add, change or even delete data if you do not take certain precautions. It is easy to stop this type of attack by using parameterised queries, almost every web language has features to stop this.
Cross-site scripting (XSS) is a client side attack using JavaScript or other client side scripting to inject vindictive code that will effect visitors to your site. Basically, they are trying to get visitors on your site to execute malicious JavaScript. The best way to combat this is to make sure that any data that is submitted through your forms is “cleaned up”, in other words escaped/encoded. Here is a great XSS prevention cheat sheet you can use to make sure you are good to go.
6. Server side/Client side form validation: SQL Injections / XSS attacks are some of the most common techniques hackers use so this tip simply emphasizes tip number 4. It will help you to ensure the data you are collecting through forms in correct and legitimate. To put it in layman’s terms, you want to make sure the data being sent through your web forms is accurate and safe.
Client side validation uses JavaScript to check the validity of the data before being submitted to the web server. It makes sure that emails are in a proper email format, phone numbers are formatted correctly, and no computer code has been included. If it is OK, it can then be passed to the server to be stored in your database or sent in an email.
Server side validation uses a server scripting language, like PHP, to check the data again just in case anything got through. If data passes both validation techniques, you can rest assured the data is most likely correct and safe.
7. File uploads: Any time you allow a file to be uploaded to your server through your website you are facing security risks. Even images can be problematic. There are simply too many techniques necessary to beat file upload security risks to list in this article. This is a matter you will need to investigate further if you need assistance in securing your file uploads. The biggest problem is allowing a file to be executed. The best way to prevent any issues is to not allow direct access to any uploaded files. If you do allow uploads always use a secure transport system like SFTP or SSH.
8. Hide admin pages: Use your robots.txt file to disallow search engines from indexing your admin pages. This will make it harder for the hacker bots to find them and begin their attacks. SEOBOOK.com offers a great tutorial on creating a good robots.txt file. You may also try changing the file names of some of the more commonly vulnerable files. Files like login.php are obvious names for hackers to look for when scouring your server. If it was named random-file.php a hacker bot might skip right past it.
9. SSL / HTTPS: SSL certificates changes your communication protocol from http: to https: which is a much safer way to transfer sensitive data from a website to the server. AN SSL certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server. This way your sensitive data cannot be intercepted and read between the website and server. You need a unique key to interpret the encrypted data.SSL certificates now also have SEO benefits. Google announced that they give higher rankings to websites with SSL certificates.
10. Backup routinely: This might be our last tip, but maybe it should have been our first. A regular backup routine of your database, website and configuration files will help you to restore your website if hackers should ever do damage. These backups should be kept in a safe location like on an external hard drive and should be stored in a safe place where hackers and other natural disasters can’t destroy them.Performing a backup is fairly simple. Use the cPanel provided by your hosting provider. Within the cPanel is a backup wizard that can walk you through the steps of backing up your files and databases.
If working in a CMS like WordPress, there are also plugins available like BackUpWordPress that can help you set up a backup routine.
There are of course many other steps that can be taken to protect your website, server and databases. However, if you follow these 10 basic tips you will be well on your way to stopping hackers from getting in where they can cause trouble. If you would like more information on how to fully protect your company’s website, simply give us a call or contact us and we will be happy to help.
