It could still be at risk even if you think your website isn’t a target. Most website security breaches aren’t about stealing data or altering your site’s design. Instead, hackers often aim to use your server to send spam emails, host illegal files, or even join your server to a botnet. Ransomware attacks are also a growing concern.
Many hacking attempts are carried out by automated scripts designed to find and exploit known vulnerabilities in website software. Here are nine essential tips to help keep your website secure.
1. Keep Software Updated
Keeping your software updated is essential for maintaining a secure website, though it might seem like an obvious step. This includes your server’s operating system and any applications you run, like a CMS or forum. When security vulnerabilities are discovered, hackers quickly exploit them.
Using managed hosting, you can rely on your hosting provider to handle operating system updates. However, for websites running third-party software, such as a CMS or forum, it’s crucial to apply security patches as soon as they’re released. Many vendors offer mailing lists or RSS feeds to alert you to security issues. Platforms like WordPress and Umbraco also notify you of system updates directly when you log in.
If you’re a developer using tools like Composer, npm, or RubyGems to manage software dependencies, it’s easy to overlook security vulnerabilities in the packages you rely on. To avoid this, regularly update your dependencies and use tools like Gemnasium to receive alerts when vulnerabilities are identified in your components.
2. Protect Against SQL Injection
SQL injection attacks occur when an attacker exploits a web form field or URL parameter to access or manipulate your database. If you’re using standard Transact SQL, it’s easy to unintentionally include malicious code in your query, which could allow an attacker to modify tables, retrieve sensitive information, or delete data.
A simple way to prevent this is by using parameterized queries. Most programming languages support this feature, and it’s easy to implement.
For example, consider this query:
“SELECT * FROM table WHERE column = ‘” + parameter + “‘;”
If an attacker manipulates the URL parameter to inject ‘ OR ‘1’=’1, the query would become:
“SELECT * FROM table WHERE column = ” OR ‘1’=’1′;”
Since ‘1’ is always equal to ‘1’, the attacker could add additional commands to the SQL statement, which would then be executed.
To fix this, you should use parameterized queries. For instance, in PHP using MySQLi, the query should look like this:
$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’);
$stmt->execute(array(‘value’ => $parameter));
$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’);
$stmt->execute(array(‘value’ => $parameter));
This approach ensures that the input is treated safely, preventing harmful SQL code from being executed.
3. Guard Against XSS Attacks
Cross-site scripting (XSS) attacks occur when malicious JavaScript is injected into your web pages and executed in users’ browsers. This can lead to altered page content or stolen sensitive information, like login credentials, which is then sent to the attacker. For example, if user comments aren’t properly validated, an attacker could submit a comment containing harmful script tags that steal login cookies from other users and compromise their accounts.
To prevent XSS, blocking any injection of active JavaScript into your pages is essential. This is particularly important in modern web applications, where much of the content is user-generated and handled by front-end frameworks like Angular or Ember. While these frameworks offer built-in XSS protection, mixing server and client-side rendering can open up new vulnerabilities.
To defend against XSS, ensure that user-generated content is properly sanitized so the browser can’t interpret it as executable code. Use safe methods like element.setAttribute or element.textContent instead of directly inserting raw HTML with element.innerHTML. Also, utilize your templating engine’s built-in escaping functions to prevent unsafe content from being rendered.
Implementing a Content Security Policy (CSP) is also a powerful defense. CSP restricts how JavaScript is executed on your site, blocking inline scripts or preventing scripts from untrusted domains. This creates an extra layer of protection, even if an attacker manages to inject malicious code into your pages.
4. Limit Error Messages
Be mindful of the information you reveal in error messages. Only display minimal details to users and keep detailed error logs on your server. This prevents attackers from gaining insights into your server’s structure and vulnerabilities.
5. Validate Input on Both Sides
Always validate input on both the client and server sides. Client-side validation can catch simple errors, but server-side validation is essential to prevent the processing of malicious data.
6. Enforce Strong Passwords
While most people know they should use complex passwords, they often don’t. It’s essential to use strong passwords for your server and website admin area, and to enforce good password practices for your users to safeguard their accounts.
Requiring passwords with a minimum of eight characters, including an uppercase letter and a number, may not be popular with users but will significantly improve security.
Passwords should always be stored as encrypted values, ideally using a one-way hashing algorithm like SHA. This ensures that user authentication only involves comparing encrypted values. For added security, use a unique salt for each password before hashing.
If a breach occurs and passwords are stolen, hashed passwords can limit the damage since they cannot be decrypted. The attacker must rely on brute force or dictionary attacks to guess passwords. When passwords are salted, the cracking process becomes even slower because each password and salt combination must be hashed separately, increasing computational difficulty.
Fortunately, many CMS platforms offer built-in user management systems with strong security features. However, some might require extra configuration or modules to enable salted passwords (e.g., pre-Drupal 7) or enforce minimum password strength. In .NET environments, it’s advisable to use membership providers, which offer configurable security options and built-in controls for tasks like login and password reset.
7. Avoid File Uploads When Possible
Allowing users to upload files to your website, even for something as simple as changing an avatar, can pose serious security risks. The danger lies in the possibility that an uploaded file could contain a script that, when executed on your server, could compromise your entire site.
If you have a file upload feature, treat all files with caution. Relying on file extensions or MIME types to verify that a file is an image is risky, as these can be easily spoofed. Even checking the file’s header or image size is not foolproof since image formats often allow metadata, which could hide malicious code.
How to Mitigate File Upload Risks:
- Block Script Execution: The primary goal is preventing users from executing uploaded files. Web servers typically don’t execute files with image extensions, but this isn’t guaranteed—an image file like image.jpg.php could still slip through.
- Rename Files & Set Permissions: Rename uploaded files to ensure the correct extension, and adjust file permissions (e.g., chmod 0666) to prevent execution. Additionally, using .htaccess rules (for Apache servers) can limit access to specific file types and block double-extension attacks:
deny from all
<Files ~ “^\w+\.(gif|jpe?g|png)$”>
order deny,allow
allow from all
</Files>
Store Files Securely: The best approach is to store uploaded files outside the webroot, or in a database as a blob. By doing so, users cannot directly access the files. Instead, use a script to fetch and serve the files to the browser. For instance, you can set up a file delivery script that retrieves the file and sets the correct content type in the HTTP header:
<img src=”/imageDelivery.php?id=1234″ />
// imageDelivery.php
Header(‘Content-Type: image/gif’);
readfile(‘images/’.$fileName);
Server Security Tips:
- Use a Firewall: Block all non-essential ports and set up a DMZ (Demilitarized Zone) to only allow access to ports 80 and 443 for web traffic.
- Secure File Transfer: Use secure methods like SFTP or SSH for file uploads to your server.
- Separate Database & Web Server: Host your database on a different server than your web server for better security. This way, only your web server can access the database, reducing the risk of data breaches.
- Physical Security: Don’t overlook the importance of securing physical access to your server.
8. Use HTTPS Everywhere
HTTPS is a crucial protocol for securing communications over the internet. It ensures that users connect to the correct server and that their data isn’t intercepted or altered during transmission.
If your website handles sensitive information, such as login credentials or payment details, using HTTPS throughout your site—not just on login and checkout pages is essential. For instance, when a user logs in, a session cookie is generated, sent with every request they make while logged in. An attacker could hijack the session and take over the account if this cookie is intercepted on a non-secure HTTP connection. HTTPS helps prevent these attacks by encrypting the entire session.
Setting up HTTPS is now easier and more affordable than ever. Services like Let’s Encrypt offer free, automated SSL certificates, making enabling HTTPS on your site simple. Many platforms and frameworks also have tools to streamline this process.
Additionally, HTTPS provides an SEO advantage. Google boosts the ranking of websites using HTTPS, making it not just a security feature but also a way to improve your site’s visibility. With HTTP becoming obsolete, upgrading to HTTPS is a must.
Once HTTPS is fully implemented, consider adding HTTP Strict Transport Security (HSTS). This response header tells browsers always to use HTTPS for your domain, further enhancing security by preventing any HTTP requests from being made to your site.
9. Test Your Security with Tools
Once you’ve implemented the necessary security measures on your website, the next step is to evaluate their effectiveness. The best way to do this is through website security tools, commonly known as penetration testing (or pen testing). These tools simulate the tactics hackers use to identify vulnerabilities in your site.
Numerous commercial and free tools are available to assist with this process. They operate similarly to hacker scripts by testing for known exploits, including SQL injection and cross-site scripting (XSS).
Here are some noteworthy free tools to consider:
- Netsparker: Offers a free community edition and trial version that effectively tests for SQL injection and XSS vulnerabilities.
- OpenVAS: Claims to be the most advanced open-source security scanner, capable of identifying over 25,000 known vulnerabilities. However, it requires installation on a *nix server, which may be complex for some users. OpenVAS is a Nessus fork, created before transitioning to a closed-source model.
- SecurityHeaders.io: A free online tool that quickly checks which security headers (like Content Security Policy and HSTS) are enabled and properly configured for your domain.
- Xenotix XSS Exploit Framework: Developed by OWASP (Open Web Application Security Project), this tool features a comprehensive set of XSS attack examples that can be used to test your site’s input fields in popular browsers such as Chrome, Firefox, and Internet Explorer.
The results from these automated tests can appear overwhelming due to the number of potential vulnerabilities reported. Prioritize addressing critical issues first, as each report typically includes detailed explanations of the vulnerabilities.
You can manually test your site by altering HTTP request values for a more hands-on approach. Using a debugging proxy, such as the freeware application Fiddler, allows you to intercept and modify the values in requests sent between your browser and the server.
Focus on testing areas where access is restricted to logged-in users. Try changing URL parameters, such as user IDs or cookie values, to see if you can access another user’s information. Additionally, examine forms by altering POST values to see if you can submit code that could trigger XSS attacks or upload a server-side script.
