If you have been affected by a website being hacked, you know this is interesting. Hackers may damage the reputation of your IP, hijack your security information, delete, or modify your data, inject malware into SQL databases, and place backdoors in scripts for future attacks. In addition, hacked sites are often targets of future attacks. There is no doubt that it is very difficult to clean up and restore the infected website to normal state. The best protection against becoming a victim is prevention. Taking some precautions now can save you a lot of frustration in the future.
1. Keep software up to date
Keeping your software up to date can help you to ensure the secureness of your website. If there are website security holes, hackers will act quick to intrude to your site. If you are using a hosted hosting solution, then you do not have to worry about applying security updates to the operating system, because hosting companies should take care of this.
Another common vulnerability is outdated scripts and installations, such as WordPress installations, themes, plugins, etc. Updates to these tools are usually security patches for vulnerabilities discovered by hackers, so make sure to update the script every time you update to check for available updates.
2. Watch out for Error Messages
Note the amount of information provided in the error message. You shall only provide your users with the fewest errors. This is to ensure that they do not reveal secrets that exist on the server (such as API keys or database passwords). Do not provide complete exception details either, as they will make complex attacks (such as SQL injection) easier. Keep detailed errors in your server logs and show users only the information they need.
3. Validate on both server and browser sides
You should done the verification on the browser and server side. The browser can catch simple faults, such as when required fields are empty and when text is entered in a purely numeric field. However, these operations can be bypassed, and you should make sure to check these verifications and deeper verification server-side, otherwise it may cause malicious code or script code to be inserted into the database or cause undesirable results in your website.
4. Use HTTPS
HTTPS is a protocol that provides security over the Internet. HTTPS guarantees that users are communicating with the server they expect, and that no one else can intercept or change what they see in transmission. If you have any content that users want to be private, we strongly recommend you to only use HTTPS for delivery. Of course, this means credit cards and login pages and the URLs they submit, but it is usually much more than your website.
For example, a login form usually sets a cookie, which is sent to your site from the logged-in user along with all other requests and is used to authenticate these requests. An attacker who steals this information will be able to impersonate the user perfectly and take over their login session. To overcome this kind of attack, you almost always want to use HTTPS for the entire site.
5. Get website security tools
Once you think you have done everything, you can test the security of your website. The most effective way is to use certain website security tools, usually called penetration testing or simply pen testing.
There are many commercial and free products that can help you. They work similarly to script hackers in that they test all known vulnerabilities and try to use some of the methods mentioned earlier such as SQL injection to compromise your site.
Some free tools worth paying attention to:
– Netsparker (a free community version and a trial version are provided). Very suitable for testing SQL injection and XSS.
– OpenVAS claims to be the most advanced open-source security scanner. It is very suitable for testing vulnerabilities, currently it can scan more than 25,000. But this can be difficult to set up and requires installation of an OpenVAS server that only runs on *nix. Before becoming a closed source commercial product, OpenVAS was a branch of Nessus.
– SecurityHeaders.io (free online check). Quickly report which of the above security headers (such as CSP and HSTS) tools have been enabled and correctly configured in the domain.
– Xenotix XSS Exploit Framework is a tool in OWASP (Open Web Application Security Project), which includes many XSS attack examples, you can run them to quickly confirm whether the input of the site is vulnerable in Chrome, Firefox, and IE.
Find out more at Casbay Blog.