After lunching your website, you may not think that your site has anything worth being hacked for, but websites are compromised all the time. Your website live is like unlocking the door to your premises with your office and safe open. Most of the people who visit your physical building will never even know that all of your data is there to discover just by walking in. Occasionally you will find someone with malicious intent who will walk in and steal your data. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature.
Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software. Electronic thieves are invisible and fast. They are searching for your website for details of customers' accounts, especially for their credit card information. You have a legal obligation to protect this data from theft. Here are the top 10 tips to help keep your site safe online.
1. Keep your website up to date - You need to stay up to date with hacking threats. If you have at least a basic knowledge of what is possible then you can protect your website against it. It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS. Open source CMS are the main target of the hackers. Better to use custom php or highly secure CMS. For more information check our story CMS vs Custom PHP.
2. Use SSL - SSL is a protocol used to provide security over the Internet. Use an encrypted SSL protocol to transfer users' personal information between the website and your database. This will prevent the information being read in transit and accesses without the proper authority. There have lot of software that says it will hide the code on your webpages. It doesn't work. Browsers need access to your code in order to render your website pages, so there are simple ways to get web page encryption with SSL and other encryption technology.
3. Form validation on server side - Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. Also use server side validation to stop malicious code or scripting code to insert into database.
4. SQL injection - SQL injection attacks are very common. When an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterised queries, most web languages have this feature and it is easy to implement.
5. Limit file uploads - File uploads are a major concern. No matter how thoroughly the system checks them out, bugs can still get through and allow a hacker unlimited access to your site's data The risk is that any file uploaded however innocent it may look, could contain a script that when executed on your server completely opens up your website. The best solution is to prevent direct access to any uploaded files. Store them outside the root directory and use a script to access them when necessary.
6. Hide admin pages - Admin pages shouldn't be indexed by search engines. To prevent that, you should use the robots.txt file to discourage search engines from listing them. If they are not indexed then they are harder for hackers to find.
7. Install a web application firewall - A web application firewall (WAF) can be software or hardware based. It sets between your website server and the data connection passing through it. Once installed, web application firewall provides complete peace of mind, by blocking all hacking attempts and also filtering out other types of unwanted traffic, like spammers and malicious bots.
8. Error messages - Be careful about the error messages for your users. For example if you have a login form on your website you should think about error messages you use to communicate failure when attempting logins. You should use generic messages like "Incorrect username or password" as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field.
9. Remove form auto-fill - When you leave auto-fill enabled for forms on your website, you leave it vulnerable to attack from any user's computer or phone that has been stolen. You should never expose your website to attacks.
10. Back-up frequently - Back up is the best thing to protect your and user data. Back up on-site, back up off-site, back up everything multiple times a day. Every time a user saves a file it should automatically back up in multiple locations. Remember every hard drive will fail.