Five essential tips to keeping your website secure
by David Dwyer on 23/07/2017
Why and how hackers are targeting your website
Five essential tips to keeping your website secure
As 2017 has so graphically demonstrated businesses, from the smallest micro enterprise to organisations as large as the NHS, face an unprecedented risk of falling victim to hacking.
In May, the world witnessed the largest, global ransomware outbreak in history. In total, 47 health trusts in England reported problems at hospitals, GP surgeries or pharmacies and 13 NHS organisations in Scotland were also affected. The issue? A weakness in Microsoft’s Windows operating system that had been patched three months previously.
The vast majority of hack attacks are designed to do one of three things: steal your customer data, such as credit card data and personal identity information, for sale on the Dark Web; deliberately bring your site down via a distributed denial of service attack; or target your server as an email relay for spam. Cybercriminals can even exploit compromised machines to hijack your servers to mine for Bitcoins.
Just as a burglar physically cases vulnerable houses, looking for weak spots and easy pickings, hackers use automated scripts that search the web seeking known website security flaws found in software.
However, there are five key steps you can take to keep your site secure.
1. Keep platforms and scripts up to date
It’s vital you ensure all software, frameworks, CMS, third-party plug-ins, forums or libraries installed are kept up-to-date. The code for open source software is easily available and can be abused by malicious hackers. Leading the fightback is an active developer community that works hard to discover and rectify security gaps. When using third party software on your website, always upgrade to the latest version, especially if it includes security patches.
2. The p4ssw0rd dilemma
As recent scares with certain widely available household wifi routers revealed, most of us are aware of the importance of using complex passwords, but most of us do not follow through.
Strong, random passwords for your server and website admin area are essential. They should never be easy to guess. Also focus on good password practices for your users, to prevent their accounts from being hacked.
Stored passwords must be encrypted, using algorithms like SHA-2, so that only encrypted values are compared when authenticating users. You can also salt your passwords, to help limit damage in the event passwords are stolen. Salted passwords slow down decryption, making it an expensive exercise for hackers. Many CMSs provide built-in security features, although some configuration may be required to use salted passwords or to set the minimum password strength.
Many users still think that short passwords including a mix of uppercase letters, special characters and numbers are enough to protect your accounts. We would always recommend using a passphrase of variable lengths between 16 and 23 characters. Using a passphrase instead of a password makes it harder for attackers to brute force attack and it can also be easier to remember.
3. Use command parameters to prevent SQL injection
When an attacker accesses your database by inserting rogue code through a web form field or URL parameter, it is known as an SQL injection attack. Such staged attacks send malicious SQL commands to database servers through web requests like input channels, query strings, cookies or files. SQL injections can insert new user accounts, delete existing user accounts, display restricted records and information, change the contents of records or even compromise the server’s operating system.
SQL injection attacks are preventable by using parameterised queries (most web languages have this feature and it is easy to use). Command parameters get defined by adding placeholder names in SQL commands, which can then be replaced by user input. This way the database knows anything stored inside the parameters is just input and therefore it cannot be tricked into reading it as code. There are scanning tools available, such as sqlmap, which can detect potential SQL injection vulnerabilities in your site.
4. The principle of minimal privilege
Ensure that all your web applications are restricted to the minimum permissions possible to be able to perform the required tasks. When an administrative account gets compromised, it can potentially give hackers access to your entire database system. It’s best to use an account that only has simple read-write permissions to the specific database behind your website, so even if there is an SQL injection attack, the scope of damage remains limited within the single database.
5. One way data traffic
Allowing file uploads to your site is a major security risk. Any uploaded file can carry malicious code that sneaks into your system and makes your website vulnerable to hackers.
Users should be prevented from getting direct access to uploaded files altogether, and there should be restrictions regarding executing any files they upload. All downloaded files must be stored outside root directories or stored in the database as a blob, with dedicated scripts used to deliver them to the browser when required.
A final word on hosting
Did you know that nearly 41% of websites are hacked because of security vulnerabilities in their hosting service? Select the right host is key to protecting your website. Choose a reputable hosting service, offering robust security features.
Inspire Web Services, Security, SSL, SSL Certificate, The Evolving Web, Web Consultancy, Website Support