You may not believe your site is worth hacking, but websites are constantly compromised. The majority of website security breaches do not attempt to steal your data or change the layout of your website(opens in new tab), but rather to use your server as an email relay for spam or to set up a temporary web server, usually to serve illegal files. Another common way for compromised machines to be abused is to use them as part of a botnet or to mine for Bitcoins. You could even be infected with ransomware.
Automated scripts written to scour the internet in an attempt to exploit known website security flaws in software are commonly used in hacking. Here are our top picks.
01. Keep software up to date
It may seem obvious, but keeping all software up to date is critical for keeping your site secure. This applies to both the server operating system and any software on your website, such as a CMS or a forum. When website security flaws are discovered in software, hackers are quick to exploit them.
02. Watch out for SQL injection
SQL injection attacks occur when an attacker attempts to gain access to or manipulate your database through a web form field or URL parameter. When using standard Transact SQL, it is easy to unintentionally insert rogue code into your query that can be used to change tables, retrieve information, and delete data. You can easily avoid this by always using parameterised queries, which are available in most web languages and are simple to implement.
03. Protect against XSS attacks
XSS attacks inject malicious JavaScript into your pages, which then runs in your users' browsers and can change page content or steal information to send back to the attacker. For example, if comments are displayed on a page without validation, an attacker could submit comments containing script tags and JavaScript, which could run in every other user's browser and steal their login cookie, allowing the attacker to take control of every user who viewed the comment. You must ensure that users are unable to insert active JavaScript content into your pages.
04. Beware of error messages
Be mindful of how much information you reveal in error messages. Provide only minor errors to your users to prevent them from leaking server secrets (e.g. API keys or database passwords). Don't give out complete exception details, either, as this can make complex attacks like SQL injection far easier.
05. Validate on both sides
Validation should always be performed on both the client and server sides. Simple failures, such as mandatory fields that are empty or entering text into a numbers-only field, can be detected by the browser. These can, however, be circumvented, and you should ensure that you check for these validation and deeper validation on the server side, as failing to do so could result in malicious code or scripting code being inserted into the database or causing undesirable results in your website.
06. Check your passwords
Everyone understands the importance of using complex passwords, but that doesn't mean they always do. It is critical to use strong passwords for your server and website admin area, but it is also critical to enforce good password practises for your users in order to protect the security of their accounts.
As much as users may dislike it, requiring a minimum of eight characters, including an uppercase letter and a number, will help to protect their information in the long run.
07. Avoid file uploads
Allowing users to upload files to your website, even if it's just to change their avatar, can pose a significant security risk. Any file uploaded, no matter how innocent it appears, could contain a script that, when executed on your server, completely opens up your website.
If you have a file upload form, you must treat all files with extreme caution. If you allow users to upload images, you cannot rely on the file extension or mime type to verify that the file is an image because these can be easily forged. It is not enough to open the file and read the header, or to use functions to check the image size. Most image formats support the storage of a
08. Use HTTPS
HTTPS is a protocol that provides Internet security. HTTPS ensures that users are communicating with the server they expect and that no one else can intercept or change the content they see in transit.
If you have anything that your users may want to keep private, only use HTTPS to deliver it. Of course, this includes credit card and login pages (as well as the URLs they submit to), but it also includes a lot more of your site. A login form, for example, will frequently set a cookie, which is sent with every other request to your site made by a logged-in user and is used to authenticate those requests. An attacker who stole this would be able to perfectly impersonate a user and steal their data.