While it may appear that your site is not worth hacking because you do not have anything of great value, the reality is that your site, however innocuous, does pose an opportunity for hackers to use what you have for other types of purposes. Messing up your layout may not be the intent of the hackers, but there are lots of things that can be done with your servers. For example, your servers could be quite useful as a relay for email spam to users or they could be used to create a temporary web servers. Another thing that should not be ignored is compromised sites can have their servers used to mine cryptocurrency or as a cog in a larger botnet. Then, there is ransomware. The bottom line, protecting your site from hackers is non-negotiable.
Now that you have been thoroughly scared about the threats hackers pose, it is time to learn about how to protect your site. There are several small fixes you can make. A quick and easy one is using SSL, for example. You can check out free SSL certificate reviews on makeawebsitehub or on any other reputable site. This is only one of the ways you can make your site stronger. There are several other processes that will help too, and when you take care of your site’s security, then the automated scripts that hackers use become toothless against the strong shield of security you have given to your site, and by extension, the visitors to your site.
Never Avoid Software Updates
Software updates are annoying because they keep you from doing the things you want to do, but the truth is your website is only as good as its last update. Any software running on your sites including forums and CMS systems should be regularly updated. You should also make sure that your server operating system software is all up to date too.
For people using managed hosting services, you will not have to worry about the same issues because the hosts job is to update most of these things. That being said, when you are running third party software like a CMS or a forum, your managed hosting service will not take care of that.
The good news is many of these services have an RSS feed or a mailing list that details any issues with security issues affecting a site. Most vendors have these feeds and lists because keeping their customers safe and secure is the best way to keep customers, and with competition in the market of CMS vendors and forums, it is imperative that site security is maintained via these apps.
The good news is there are plenty of tools available to help manage security such as Ruby Gems, Composer, or NPM. These tools ensure that everything is up to date and that you get the information you need to get the software updated as soon as it rolls out.
Use Discretion in Your Error Messages
Your site is going to have error messages for a variety of reasons, and what is important to know is that hackers can get a lot of information from these error messages. First, you want to make sure that you have very few errors on your site because it affects usability, and if your site is difficult to use then the traffic you do want will go to other websites. As for how hackers work, you want to have protection over the areas that hold the sensitive information that is located on your servers. Keeping your databases, passwords, and API keys secret is the best way to keep your site running correctly. As to the error messages, keep the messages themselves to a minimum. Hackers will probe your site using SQL injections and other complex methods. The goal is making sure the users get nothing more than information they need while at the same time, have the details of the errors stay only in your server logs.
Take Care of Passwords
Talking about password security is done so much on the internet that readers’ eyes naturally glaze over. That said, password hacking is fairly easy for a decent hacker. Make sure everyone who has access to your site has a good password. This means not allowing passwords that don’t meet secure requirements. Some requirements include an eight character minimum along with a number, at least 1 upper and one lower case letter along with at least one special character such as an exclamation point or an ampersand.
Password storage is also important. Make sure that passwords are stored as encrypted values, and perhaps the best way is a hashing algorithm such as SHA. This method authenticates users when their encrypted password values are created.
If somehow the passwords got stolen, hashed passwords will limit the damage because it is not possible to decrypt them. The attacker will have to basically work to guess every combination until they find a match. Salting the passwords is a good idea, because it makes cracking a lot of passwords a slow process thanks to each guess getting hashed. Essentially, this makes your site more trouble than it is worth.
Many CMSs like WordPress offer security features built into their systems but you may need to get some extra modules to do things like salting the passwords. If you are using .NET, the membership providers are mostly configurable, and they have site security built in along with controls that make password reset and log in much more convenient.
Do Not Upload Files
If users can upload files, you are basically opening up your site for massive risks despite taking a ton of protection in all these other areas. The file itself may seem really innocent but the person may not know that a nefarious script is attached to the file. Once you take the file in, the script will open and execute on your server. This is such a simple way to have so many things go wrong.
Even images are not foolproof, and if you are thinking that miming the type or using the file extension to verify what the file is. The truth is that nothing is foolproof, because even image files contain space for storage of comments that would house a PHP code getting executed by your server and thus crippling your site.
More on security:
- Best CEH Certification Preparation Books
- Best CCNA Security (210-260) Certification Study Books
- Using Free WordPress Security Scanner – WPSeku
- How To Check SSL Certificate Expiration with OpenSSL
- How To Configure Apache Web Page Authentication on Ubuntu / Debian