How to keep your website secure from hackers and phishing attacks

Your site is valuable to you and your site visitors. To create good protection against malicious attacks, you need a guide on how to protect your site from hackers. You may think that there is nothing to hack your site, but sites are constantly hacked.

Most site security breaches do not steal your information or interfere with the organization of your site.

Instead, try to create a temporary web server to redirect your server to spam or view illegal files.

Another very common way to exploit broken machines is to use servers as part of a botnet or to mine Bitcoin. You may be exposed to ransomware.

Thefts are routinely run with automated scripts written to scan the internet in an attempt to exploit security issues known to the software.

 Here are some top tips to help keep you and your site safe online.

Keep your website up to date

This may seem obvious but keeping all the website up to date is vital to the security of your site.

 This applies to the server operating system and any software that can be used on your sites, such as a CMS or forum.

When software security vulnerabilities are found in software, hackers try to exploit them quickly.

If you are using a managed hosting solution, you don’t have to worry about implementing operating system security updates, because the hosting company will be responsible for that.

If you use third-party software on your sites, such as a CMS or forum, you need to make security fixes quickly.

Most vendors have a mailing list or RSS feed that details any site security issues.

WordPress, Umbraco, and many other CMS will notify you of system updates when you sign in.

Many developers use tools like Composer, npm, or RubyGems to manage their software dependencies, and security vulnerabilities appearing in a package you depend on but aren’t paying any attention to is one of the easiest ways to get caught out. Ensure you keep your dependencies up to date, and use tools like Gemnasium to get automatic notifications when a vulnerability is announced in one of your components. 

Beware of SQL injection

An SQL injection attack is when an attacker uses a web form field or URL parameter to access or manage your database.

When using standard Transact SQL, it is easy to unknowingly insert unfair code into your query that can be used to modify tables, retrieve information, or delete data.

You can easily prevent this by always using parameterised queries, most web languages have this feature and it is easy to implement.

Protection against XSS attacks

An inter-site script (XSS) attack introduces malicious JavaScript into your page, which can run on your users’ browsers, modify the content of the page, or steal information to send it back to the attacker.

For example, if you post a comment on an unverified page, the attacker will send a script with a script and a JavaScript tag that can run on another user’s browser, steal the login cookies, and allow the attacker to check each user’s account.

Users should not include active JavaScript content on your page.

It focuses on modern web applications, where pages are now built primarily from user content, often generating HTML, which is interpreted in terms of interfaces such as Angular and Ember.

These frameworks provide a lot of XSS protections, but mixing server and client performance create a new and more sophisticated attack path.

JavaScript is not only effective in HTML, you can include angle instructions or import content to execute code using Ember helpers.

The key here is to focus on how your user-generated content goes beyond what you expect and how the browser is interpreted as something different than you think.

This is similar to SQL injection protection. To create dynamic HTML, use functions that specify the changes you are looking for (for example, use element.setAttribute and element.textContent to automatically exit the browser instead of manually setting element.innerHTML) or use the template tool functions.

Instead of merging lines or defining raw HTML content, an automatic matching escape is performed.

Another powerful tool in XSS Defender is the Content Security Policy (CSP).

A CSP is a header that can be returned to your server, which means that web browsers restrict how and what JavaScript works on the page, such as blocking scripts that are not hosted on your domain, disabling installed JavaScript, or disabling ratings.

Mozilla has a great guide with some configuration examples. This makes it difficult to work even if an attacker script can be brought to your page.

Beware of error messages

Be careful not to give too much information to the error message.

To minimize the loss of passwords on your server (for example, API keys or database passwords), make the least number of mistakes for your users.

Also, do not include emergency details as they can perform complex attacks such as SQL injections.

Track detailed errors in your server log and show users only the information they need.

Confirm on front and back-end of website

Validation should always be done on the browser and server-side.

The browser can detect simple errors, such as entering blank fields and text only in numeric fields.

However, these can be bypassed, and you should check these validations and more in-depth server authentication, as errors may include malicious code or script code entering the database or unwanted results on the server.

Secure passwords

Everyone knows that you have to use a complex password, but that doesn’t mean you always use it.

It is important to use a strong password for server and site management, but it is equally important to follow a good password practice to protect the security of your user account.

Even if users don’t like it, enforcing a password requirement of at least 8 characters, including uppercase letters and numbers can help protect their information in the long run.

Passwords should always be stored in encrypted form, preferably using a one-way hash algorithm such as SHA (Secure Hash Algorithm).

Using this method means that you are only comparing encrypted values ​​to verify the identity of the users.

For extra website security it is a good idea to salt the passwords, using a new salt per password.If someone steals your password, it is not possible to decrypt it, so using a hashed password will help limit the damage,  as decrypting them is not possible

The best someone can do is a dictionary attack or brute force attack, essentially guessing every combination until it finds a match. When using a salted password, the process of hacking many passwords is even slower, because each hypothesis needs to be broken down separately for each salt and password, which is impossible to find the correct one .

Avoid uploading files

Allowing users to upload files to your site can be a big risk to the security of your site, even if it means simply changing their avatar.

The risk is that any downloaded file, no matter how innocent it may seem, may contain a script that when to run on your server, opens your site to vulnerabilities.

If you have a file submission form, then you should treat all files with great suspicion.

If you allow users to upload images, you cannot rely on file extension or mime to verify that the file is an image or document, as they can be easily tampered with.

Even opening the file and reading the header or using functions to control the image size is not infallible.

Most images formats allow storing a comment section that could contain PHP code that could be executed by the server So what can you do to prevent it? Finally, you want to prevent users from being able to run any file they upload.

By default, web servers will not attempt to execute files with image extensions, but do not rely solely on controlling file extensions, as a file named image.jpg.php is known to pass.

Some options are to rename the file when uploading to ensure the correct file extension or change the permissions of the file.

For example, chmod 0666 the file so that it can not be executed.

If you need to allow file uploads, take a few steps to make sure you protect yourself:

  • Create a whitelist of allowed file extensions. By specifying which types of files you’ll accept, you keep suspicious file types out.
  • Use file type verification. Hackers try to sneakily get around whitelist filters by renaming documents with a different extension than the document type actually is, or adding dots or spaces to the filename. 
  • Set a maximum file size. Avoid distributed denial of service (DDoS) attacks by rejecting any files over a certain size. 
  • Scan files for malware. Use antivirus software to check all files before opening.
  • Automatically rename files upon upload. Hackers won’t be able to re-access their file if it has a different name when they go looking for it. 
  • Keep the upload folder outside of the webroot. This keeps hackers from being able to access your website through the file they upload.

These steps can remove most of the vulnerabilities inherent in allowing file uploads to your website. 

Most hosting providers configure the server for you, but if you are hosting your site on your server, there are a few things you will want to check.

Make sure you have firewall settings and block all non-core ports.

If possible, set up a DMZ (Demilitarized Zone) that allows ports 80 and 443 to be accessed only from the outside world.

Although this may not be possible if you do not have access to your server from an internal network, as you will need to open ports to allow files to be uploaded and to connect remotely to your server via SSH.

If you allow files to be uploaded from the Internet, use only secure transfer methods to your servers, such as SFTP (Secure File Transfer Protocol) or SSH (Secure Shell).

If possible, have your database run on a different server than your web server. This means that the database server is not directly accessible from the outside world, only your web server can access it, minimizing the risk of exposing your data.

Lastly, do not forget to restrict physical access to your server.

Use HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is a protocol used to provide security via the Internet.

HTTPS guarantee that users speak with the server waiting and that no one else can attend or change the content they see in transit.

If you have anything that your users may want privately, it is extremely appropriate to use only HTTPS to deliver it.

This naturally means a credit card and login pages (and URLs that submit) but typically much more than your site as well.

A connection form will often define a cookie for example, which is sent with any other request to your site that a user connected and used to verify these requests.

An attacker that steals this would be able to imitate a user perfectly and take on their connection session.

To defeat these kinds of attacks, use HTTPS for your entire website.

This is no longer as difficult or expensive as it was once.

Let’s Encrypt provides completely free and automated certificates that you will need to activate HTTPS. These Existing tools are available for a wide range of common platforms and frames to automatically set up for you.

Google announced that it will enhance your search rank if you are using HTTPS, giving it an SEO advantage. The unsafe HTTP is on its way out, now is the time to upgrade if your website isn’t already using HTTPS  encryption.

HSTS stands for HTTP Strict Transport Security.

It is a method used by websites to declare that they should only be accessed using a secure connection (HTTPS). If a website declares an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates. 

Web Security Tools

After you think you’ve done everything you can test the security of your site.

The most effective way to do this is to use a penetration testing.To test your website use the following

Netsparker – free edition and test version are available . Good for SQL and XSS pumping tests

  • Xenotix XSS Exploit Framework A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.

There are some further steps you can take to manually try to compromise your site by altering POST/GET values. A debugging proxy can assist you here as it allows you to intercept the values of an HTTP request between your browser and the server. A popular freeware application called Fiddler is a good starting point

10. Install a good firewall

Hackers do not relax by hand on websites. A good hacker will create a bot that enters out of vulnerable locations and automates most of the process. Now, Bots are planning to make very specific actions.

At its core, a firewall is a code that identifies malicious applications. Each request for information made on your site first passes through the firewall. If the firewall detects that the request is malicious or done by an IP address known to be malicious, the request is blocked instead of being processed.

Avoid changing the firewall configuration

Some wave of protection will allow you to set up the settings. However, we do not recommend that you are not bonafide website security professional. The firewall rules are created after a significant security survey and a lot of removal of first-hand malicious software.

For example, most SECURITY WordPress plugins have rules in their position that hinder anyone without administrator access from access to the WP-CONFIG.PHP file. The WP-Config.php file is a WordPress Core file that contains much sensitive information. Thus, the firewall controls every request on the site to see if it contains the text “WP-config.php”. If this rule is activated, the application is rejected by the firewall.

In addition, as hackers try to lose as many websites as possible when a vulnerability is discovered, this brings to light Hacker IPS. WordPress Firewalls monitors and blocks malicious IPS proactively, based on these attacks.

Of course, no firewall is 100% explicit. But it is better to have a firewall that prevents most malicious software, rather than not to have any firewall at all. But all firewalls are not the same, and some are much more effective than others.