Website Security is a process for maintaining security on your websites and servers. Website Security tools scan your websites for potential security-related issues such as pharmaceutical hacks, redirect hacks, backdoor file hacks, Trojan viruses and many more. In this article, I am going to provide a few tips on how you can improve your website security.
1. Keep software upto date
This applies not only to your website, but to every piece of software you have install on your workstations. Hackers regularly find vulnerabilities and security flaws in software.
Software vendors, on the other hand, are regularly providing software fixes to patch up vulnerabilities that are found. If you don’t update your software when updates are available, you could be leaving a wide-open door for hackers to exploit.
You need to keep all software upto date on your workstations, if any workstation is infected it could give access to other systems, including your website.
If your website uses content management system, such as WordPress, you need to keep the content management software upto date at all times. Because CMS's like WordPress, Joomla, Magento are so popular and any security vulnerability that are found can also be exploited widely.
2. SQL injection
SQL injection attacks are when the hacker modifies a web form field or URL parameter in order to gain access, or to manipulate your database. When using standard Transact SQL, it is easy for attackers to insert rogue code into your query to change tables, obtain information and delete important data.
You can always protect this by always using parameterized queries, and most web languages come along with this feature and it can execute easily.
3. Phishing attacks
Phishing is an attempt to gain privileged information such as passwords or personally identifiable information through deception. A classic example is an email that appears to be from a person the victim knows or a service the victim may use.
The email will ask for the information, or direct the victim to a malicious website which will then trick them into divulging the personal information.
4. Hide admin pages
You do not want your admin pages to display by search engines, so you should use the robots_txt file to discourage search engines from listing them. If the admin page is not visible then it would be harder for hackers to find.
5. Limit file uploads
File uploads are a major concern. No matter how thoroughly the system checks them out, bugs can still get through and allow a hacker get access to your site’s data.
The best solution is to prevent direct access to any file uploads is, store them outside the root directory and use a script to access them when necessary. Your web host will probably help you to set this up.
6. SSL helps for website security
SSL is a commonly used security protocol used over the internet. We recommend to use a security certificate whenever passing personal information between the website and web server or database.
Attackers could be looking around for this information, and if the information is not kept secure it is likely they could capture it and use it to gain access to accounts and user data.
7. Remove from auto-fill
When you enable auto-fill for forms on your website, you leave it vulnerable to attack from any user’s computer or phone that has been stolen. You should never expose your website to attacks that utilise the laziness of a legitimate user.
8. Frequent backups require
Just in the worst case, if you loose your for any reason. So, it is always better to maintain regular backup of your data. Back up on-site, back up off-site, back up everything multiple times a day.
Every time a user saves a file it should automatically back up in multiple locations. Backing up once a day means that you lose that day’s data when your hard drive fails. Remember every hard drive will fail.
9. XSS
XSS or cross scripting is when an attacker tries to pass JavaScript or another scripting code into a web form in an attempt to run malicious code for visitors to your site. When creating a form it is important to always double check the data being submitted, as well as strip out or encode any HTML.
10. Tighten network security
- Logins expire after a short period of inactivity.
- Need to change passwords frequently.
- Passwords are strong and NEVER written down.
- A malware scan is mandatory for all devices plugged into the network.
11. Secure access control
The admin level of your website is an easy way into everything you do not want a hacker to see. Enforce user names and passwords that they cannot guess. Change the default database prefix from “wp6_” to something random and harder to guess.
Limit the number of login attempts within a certain time, even with password resets, because email accounts may get compromise as well. Never reveal login details by email, in case an unauthorised user gain access to the account.
12. Passwords
It is no secret that complex passwords are wise, but not everyone heeds this advice. Using strong passwords is crucial in relation to your server and website admin areas, but it is equally as important to insist users follow good practice passwords in order to maintain the security of their accounts.
Password practices should be enforced that require a minimum of eight characters, and include at least one numerical digit as well as one uppercase letter to better protect their information.
Passwords always need to be stored as encrypted values, and it is preferable to use a one way hashing algorithm which means users are authenticated by comparing encrypted values. Salting passwords is a great way to provide passwords with extra security.
Conclusion
So there you have it! The top 12 relatively simple steps you can take to dramatically increase your website security.