[BreachExchange] Halt the Hackers: How to Make a Website Secure
Destry Winant
destry at riskbasedsecurity.com
Sun Aug 5 23:01:24 EDT 2018
https://www.crazyleafdesign.com/blog/how-to-make-a-website-secure/
You might think hackers aren’t interested in your site, but you’d be
wrong. Last year, hackers infected 83% of all WordPress sites. They’ll
hack anything and everything.
Why? They go after smaller sites so they can use the servers. They’ll
use them to send spam email, launch attacks on other sites, or even
mine Bitcoins.
They also know that small websites are easier to hack. But it doesn’t
have to be that way. By taking a few simple measures, you can secure
your website against hackers.
In this article, we’ll teach you the basics of how to make a website secure.
Make Sure Your Site Uses HTTPS
HTTP stands for hypertext transfer protocol. Think of it as the
language of the world wide web. When you visit a website, your browser
connects to that website’s server using HTTP.
But HTTP by itself isn’t secure. Someone could intercept the signal
and steal your info. Or they could talk to your target server and
pretend to be you.
HTTPS, or secure hypertext transfer language, solves these issues.
With an HTTPS connection, all of the messages are encrypted. There’s
no way for a hacker to insert themselves in between the browser and
the server.
And HTTPS is about more than security. Google now marks all non-HTTPS
sites as “non-secure” and punishes them in their rankings. So, if you
want to attract new visitors, switch to HTTPS.
Update Your Software
This is another easy measure you can take to make your website more secure.
Hackers are always looking for weaknesses in software platforms. And
developers are always working to update their software to fix the
weaknesses hackers find.
Having out-of-date software on your website is like having an old,
creeky back door. With a little bit of effort, a hacker will probably
be able to break in.
So, update your software whenever you get the chance. And that goes
for all your software. Pay attention to small things like WordPress
plugins and web apps as well.
Be Careful With Uploaded Files
Does your site let users upload profile photos? This seemingly
harmless feature can spell big trouble if you’re not careful.
Hackers can use file uploads to put malicious files on your server.
You can still allow users to upload photos, but there are few things
you should do to make it a safe process.
By default, your web server won’t execute image files. But a hacker
could upload an executable file and trick the server into executing
it. For example, they could upload something called virus.jpg.exe and
it would look like a jpeg file, but the server would see the .exe and
execute it.
One way to defend against this is to simply rename every uploaded
file. If you force every file to be in image format, the server won’t
execute them.
To be extra safe, keep all uploaded files in a file separate from your
webroot. By keeping everything partitioned, you’ll prevent any
potential malware from damaging your site.
Defend Against SQL Injection Attacks
SQL injection attacks are old-school and they won’t work on most newer
sites. But when they do work they can be devastating.
What is a SQL injection attack?
A SQL injection originates in a user input field. In many cases, the
back end of your website will create SQL commands using information
from user input fields. SQL commands manipulate a database by either
adding information, changing information, or retrieving information.
So, if the hacker guesses what the SQL command looks like, they can
alter it by entering SQL syntax into the input field. And if they
enter the right SQL syntax, they can access and manipulate your
database.
It’s an advanced concept, but it’s important that you understand it if
you want to keep your data safe.
Defend Against XSS Injections
XSS injections are similar to SQL injections, but instead of SQL, XSS
injection attacks use javascript.
The attack usually originates in a user comment. A hacker will add a
comment to your site which contains malicious javascript. The
javascript will then run on your users’ browsers, possibly
compromising their security.
Much like SQL injections, XSS injections are an advanced concept,
especially if you’re new to coding. Mozilla has put together a good
guide on how to deal with XSS that will help you get started.
Password Security
You’ve probably signed up for websites that have a list of annoying
password requirements. It may be frustrating, but it serves an
important purpose. If hackers access your users’ accounts, you’re
responsible.
First, make sure they choose secure passwords. That means long
passwords with a variety of character types.
Then, hash them before you store them in your database. You won’t
actually know what your users’ passwords are. (That’s why when you
forget your password to a website, you always have to make a new one.)
Perform a Managed IT Services Checklist
If you have no idea where to start, make a managed IT services
checklist. This will show you areas where you may be vulnerable. And
it will help you determine if you need professional help. Read more
here.
How to Make a Website Secure
Those are the basics to website security. Now that you know how to
make a website secure, it’s time to apply your knowledge.
You’ll need to be diligent if you want to stay ahead of attackers. But
it’s worth it if you want your business or blog to survive.
If you found this article helpful, head to our web design blog for
more info about how to improve your website.
More information about the BreachExchange
mailing list