6 Essential Security Tips For Website Protection

Even though you may think your website is important enough to be hacked, there are many reasons why hackers might feel enticed to do so. They might send spam e-mail from your server or utilize it as botnet, upload illegal content etc.

Special thanks to COING software development with helping us to outline these ways to protect your website.

  • Regularly update your software

Regular updates are regarded as a nuisance, but they shouldn’t as they are the easiest way to keep your website secure. Hackers will find a way to use security holes, especially if you’re using a CMS or a forum.

For these two types of third-party software, be sure to apply security patches, and open every e-mail they send you as it will notify you of system updates and outline any security issues.

When it comes to a managed hosting solution, the company hosting your website is usually in charge of security.

  1.  Protect from cross-site scripting – XSS

Injecting malicious JavaScript – (called cross-site scripting), can alter the content of your pages. This can be enabled by a simple oversight – publishing comments on an article without approving them first. If you’re a newspaper, harmful JavaScript could influence each and every one of your users by using their login cookie and taking control of their account. With today’s modern applications that render content as html, this is a legitimate concern. The best way to avoid this is to predict how your content can escape expected bounds and be presented differently. Developers advise using element.setAttribute together with element.textContent instead of element.innerHTML. The other way is to have your escaping handled automatically by templated tools, as an alternative to setting raw HTML content.

Mozilla has tackled this threat and provided a useful guide with templated configurations that you can utilise, which makes the JavaScript harder to perform, even if it is inserted into the page.

  1. Keep your error messages simple

Many error messages give out too much information, making your website vulnerable to attacks. API keys, full exception details or database passwords are often presented on a silver platter. Users don’t need to see that information, so guard detailed errors in your server logs and show only necessary information.

  1. Optimise your server side validation or form validation

Validation should be conducted on the server and browser side, without exception. Your browser is able to recognise simple errors such as empty mandatory fields or text in a number’s only field. Hackers can work around them so you need to back them up by server side validation. If you don’t, malicious code can find its way to your database and make it vulnerable.

  1. Encourage strong passwords

Although website owners encourage their users to use strong passwords of at least 8 characters containing uppercase and lowercase letters, numbers and special symbols, they find it boring and avoid doing so. However, you as an administrator must follow these rules, and even think about enforcing them on your users to help protect your website in the future.

Always store your passwords as encrypted values, the easiest way being the use of a one way hashing algorithm like SHA. This way, while authenticating users you are comparing encrypted values as well. If your website does get hacked and your passwords end up stolen, SHA can help damage limitation because it prevents the passwords from being decrypted. Hackers then find themselves literally trying to guess them which is unproductive.

Salting the passwords by using a new salt for each character string is a great way to keep your website even safer. This way, the process of decrypting numerous passwords is even harder as each salt needs to be hashed separately, and, at the end of the day, it’s just not worth it.

If you find yourself thinking how you can apply these suggestions, know that and CMSs already have these safety features built in, usually only requiring you to set your password strength to minimum.

  1. Invest in HTTPS

This security protocol is a guarantee to your visitors that they’re interacting to the right server and that the content they’re seeing can not be intercepted or altered in transit. If you have pages that need to be private (such as urls that submit credit card details and log in information), our advice is to use HTTPS for delivery.

To give an example, a log in form will often send various requests, including a cookie that is used to authenticate the request. A hacker could imitate a user and take over their login session. HTTPS can prevent this from happening. Today, when HTTPS is a valuable ranking asset, as stated by Google, it’s a must to install, and it’s not that expensive either. For free and automated scripts go to this link, and make sure you evaluate existing community tools that will automatically set this up for you.

Big browsers, led by Google Chrome are announcing that they are going to display a big “not safe” warning on websites that don’t have this certificate.

Already using HTTPS protocol on your website? Why not take it to the next level and add a simple header that can disallow insecure HTTP protocol for your domain. This header is called HTTP Strict Transport Security, or HSTS.

Understand that your website is at risk, but you don’t be frightened. A number of CMSs currently in use have already built in these safety features, and knowing this information only makes you more aware of potential threats. As you can see, they can be easily avoided.


No Comments