Security tips to protect your website from hackers

 In News And Updates

I hurried 70-533 dumps into the local department store 70-533 dumps to grab1 some last minute Chirsmas gifts. I looked 300-320 Exam Questions at all the people and grumbled2 to myself. I would be in here forever and I just had so much Prokeyshop to do. Prokeyshop 300-320 Exam Questions Chirsmas was beginning to become such a drag. I kinda wished that I could just sleep through Chirsmas. 200-125 ccna pdf But I hurried the best I could through all the people 70-533 dumps to the toy department. Once again Tpexam Tpexam I kind Prokeyshop of mumbled3 to myself at the prices of all these toys, and wondered if the grandkids would even play whit4 them. I found 300-320 Exam Questions myself in the Prokeyshop doll aisle5. Out of the corner of my eye I saw a little 200-125 ccna pdf boy about 5 holding a lovely 70-533 dumps doll.He kept touching6 her Prokeyshop hair and he held her so gently. I could not seem to help myself. I just kept loking Prokeyshop over at the little AWS-SYSOPS certification dumps boy and wondered who the doll was AWS-SYSOPS certification dumps 200-125 ccna pdf for. I watched him turn to a woman and he called his aunt by name and said, 300-320 Exam Questions “Are you sure I don’t have CISSP pdf enough money?” She replied a bit impatiently, CISSP pdf Prokeyshop AWS-SYSOPS certification dumps “You know that you don’t have enough AWS-SYSOPS certification dumps money for it.” The aunt told the little boy CISSP pdf Tpexam not to go anywhere Prokeyshop 300-320 Exam Questions that she had to go 200-125 ccna pdf 200-125 ccna pdf and get some other things CISSP pdf and would be back in a Prokeyshop few minutes. And then she left the aisle. The AWS-SYSOPS certification dumps boy continued to hold the doll. After a 300-320 Exam Questions bit I asked the boy who the doll was for. He said, “It is the Prokeyshop doll my sister 200-125 ccna pdf wanted so 70-533 dumps badly for Chirsmas. She just knew that Santa would bring it. “I told him 300-320 Exam Questions CISSP pdf 70-533 dumps that Tpexam maybe Santa was going to 200-125 ccna pdf 300-320 Exam Questions bring it . He Tpexam said, “No, Santa can’t go where my sister is…. I have to give the doll to my Mama to take to her. “I asked him where AWS-SYSOPS certification dumps his siter AWS-SYSOPS certification dumps CISSP pdf was. He looked at me with AWS-SYSOPS certification dumps the saddest eyes and said, “She was gone to be with Jesus.

My Daddy says that 200-125 ccna pdf Mamma is going to have to Tpexam go be with her.” Tpexam My heart nearly stopped beating. Then the boy looked AWS-SYSOPS certification dumps at CISSP pdf me again CISSP pdf and said, “I told my Daddy to tell my Mama 70-533 dumps not to go yet. I told him to tell her to wait till I got back from 300-320 Exam Questions the store.” Then he 300-320 Exam Questions asked me if i wanted to see his picture. I told him I’d love to. He pulled out some picture he’d had taken at the front of the store. He said, “I want my Mama to take this with Tpexam her 200-125 ccna pdf so the dosen’t ever forget me. I love my Mama so 300-320 Exam Questions very much and I wish she dind not have to leave me.But Daddy says she will need to 200-125 ccna pdf be CISSP pdf with 200-125 ccna pdf my sister.” I saw that the little boy had lowered his AWS-SYSOPS certification dumps head and 70-533 dumps had grown so qiuet. While he was not looking Tpexam 70-533 dumps I reached into my purse and Tpexam pilled out a handful of bills. I asked the little boy, “Shall we count Tpexam that miney one more time?” He grew excited and said, “Yes,I CISSP pdf 200-125 ccna pdf just know it has to be enough.” So I slipped my money in with his and we began to count it . Of course it was plenty for 300-320 Exam Questions the doll. He 70-533 dumps softly said, “Thank you 200-125 ccna pdf 200-125 ccna pdf Jesus for giving 70-533 dumps me enough money.” Then Prokeyshop CISSP pdf the boy said, “I 70-533 dumps just asked Jesus to give me enough CISSP pdf money to buy this doll so Mama can take it with her to give my sister. And he heard my prayer. I wanted to ask him Prokeyshop give for 200-125 ccna pdf enough to buy my Mama a white rose, but I didn’t 70-533 dumps ask him, but he gave me enough to buy the doll 70-533 dumps 70-533 dumps and Tpexam a rose for my Mama. She loves white rose so AWS-SYSOPS certification dumps CISSP pdf much. “In a few minutes the aunt came back and I wheeled my cart Prokeyshop away. I could not keep from thinking about the little boy as CISSP pdf 300-320 Exam Questions I finished my shoppong in a ttally different spirit than AWS-SYSOPS certification dumps when I had started. And I kept Tpexam remembering a Tpexam story I had seen in 70-533 dumps the newspaper Prokeyshop several days AWS-SYSOPS certification dumps AWS-SYSOPS certification dumps earlier about a drunk driver hitting a car and Prokeyshop killing7 a little AWS-SYSOPS certification dumps girl and the Mother was in serious condition. The family was deciding on whether 300-320 Exam Questions to remove the life support. Now surely Tpexam this little 300-320 Exam Questions boy CISSP pdf did not belong with that story.Two days later I read in the paper where the family had disconnected the life support AWS-SYSOPS certification dumps and the young woman had died. I could not forget the little boy and just kept wondering if the two were somehow connected. Later that day, I could not help myself and 300-320 Exam Questions I went out and bought aome white roses and took CISSP pdf them to the funeral home where the yough woman was .And there 200-125 ccna pdf Prokeyshop she was holding a lovely white rose, the beautiful doll, and the picture of the little boy in the store. I left there in tears, thier life changed forever. The love that little boy had for his Tpexam little sisiter and his mother was overwhel. And in a split8 second a drunk driver had ripped9 the life of that little boy to pieces.

Nowadays it seems as if people are now benefiting or getting paid somehow with the rate in which websites are being hacked around the world. Recently the Harare Institute of Technology (HIT) made waves after their website was hacked.

I, for one, is also a victim of website hacking and my website The ZimTainment was hacked twice and the first time I lost many posts since I had not made a backup. The second time, the server was tempered with and if I could only know (lol) what these hackers want I would have provided (lol).

You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature. Other very common ways to abuse compromised machines include using your servers as part of a botnet, or to mine for Bitcoins. You could even be hit by ransomware.

Apparently I have done a research on how to protect your website from hackers. There are many way to protect your website but I had to water-down most of them and left with 9 security tips to on how to protect your website.

01. Keep software up to date

It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them.

If you are using a managed hosting solution then you don’t need to worry so much about applying security updates for the operating system as the hosting company should take care of this.

If you are using third-party software on your website such as a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues. WordPress, Umbraco and many other CMSes notify you of available system updates when you log in.

Many developers use tools like Composer, npm, or RubyGems to manage their software dependencies, and security vulnerabilities appearing in a package you depend but aren’t paying any attention to on is one of the easiest ways to get caught out. Ensure you keep your dependencies up to date, and use tools like Gemnasium to get automatic notifications when a vulnerability is announced in one of your components.

02. SQL injection

SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterised queries, most web languages have this feature and it is easy to implement.

03. XSS

Cross-site scripting (XSS) attacks inject malicious JavaScript into your pages, which then runs in the browsers of your users, and can change page content, or steal information to send back to the attacker. For example, if you show comments on a page without validation, then an attacker might submit comments containing script tags and JavaScript, which could run in every other user’s browser and steal their login cookie, allowing the attack to take control of the account of every user who viewed the comment. You need to ensure that users cannot inject active JavaScript content into your pages.

This is a particular concern in modern web applications, where pages are now built primarily from user content, and which in many cases generate HTML that’s then also interpreted by front-end frameworks like Angular and Ember. These frameworks provide many XSS protections, but mixing server and client rendering creates new and more complicated attack avenues too: not only is injecting JavaScript into the HTML effective, but you can also inject content that will run code by inserting Angular directives, or using Ember helpers.

The key here is to focus on how your user-generated content could escape the bounds you expect and be interpreted by the browser as something other that what you intended. This is similar to defending against SQL injection. When dynamically generating HTML, use functions which explicitly make the changes you’re looking for (e.g. use element.setAttribute and element.textContent, which will be automatically escaped by the browser, rather than setting element.innerHTML by hand), or use functions in your templating tool that automatically do appropriate escaping, rather than concatenating strings or setting raw HTML content.

Another powerful tool in the XSS defender’s toolbox is Content Security Policy (CSP). CSP is a header your server can return which tells the browser to limit how and what JavaScript is executed in the page, for example to disallow running of any scripts not hosted on your domain, disallow inline JavaScript, or disable eval(). Mozilla have an excellent guide with some example configurations. This makes it harder for an attacker’s scripts to work, even if they can get them into your page.

04. Error messages

Be careful with how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don’t leak secrets present on your server (e.g. API keys or database passwords). Don’t provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only the information they need.

05. Server side validation/form validation

Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.

06. Passwords

Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.

As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run.

Passwords should always be stored as encrypted values, preferably using a one way hashing algorithm such as SHA. Using this method means when you are authenticating users you are only ever comparing encrypted values. For extra website security it is a good idea to salt the passwords, using a new salt per password.

In the event of someone hacking in and stealing your passwords, using hashed passwords could help damage limitation, as decrypting them is not possible. The best someone can do is a dictionary attack or brute force attack, essentially guessing every combination until it finds a match. When using salted passwords the process of cracking a large number of passwords is even slower as every guess has to be hashed separately for every salt + password which is computationally very expensive.

Thankfully, many CMSes provide user management out of the box with a lot of these website security features built in, although some configuration or extra modules might be required to use salted passwords (pre Drupal 7) or to set the minimum password strength. If you are using .NET then it’s worth using membership providers as they are very configurable, provide inbuilt website security and include readymade controls for login and password reset.

07. File uploads

Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded however innocent it may look, could contain a script that when executed on your server completely opens up your website.

If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not full proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.

So what can you do to prevent this? Ultimately you want to stop users from being able to execute any file they upload. By default web servers won’t attempt to execute files with image extensions, but it isn’t recommended to rely solely on checking the file extension as a file with the name image.jpg.php has been known to get through.

Some options are to rename the file on upload to ensure the correct file extension, or to change the file permissions, for example, chmod 0666 so it can’t be executed. If using *nix you could create a .htaccess file (see below) that will only allow access to set files preventing the double extension attack mentioned earlier.

Ultimately, the recommended solution is to prevent direct access to uploaded files all together. This way, any files uploaded to your website are stored in a folder outside of the webroot or in the database as a blob. If your files are not directly accessible you will need to create a script to fetch the files from the private folder (or an HTTP handler in .NET) and deliver them to the browser. Image tags support an src attribute that is not a direct URL to an image, so your src attribute can point to your file delivery script providing you set the correct content type in the HTTP header.

Most hosting providers deal with the server configuration for you, but if you are hosting your website on your own server then there are few things you will want to check.

Ensure you have a firewall setup, and are blocking all non essential ports. If possible setting up a DMZ (Demilitarised Zone) only allowing access to port 80 and 443 from the outside world. Although this might not be possible if you don’t have access to your server from an internal network as you would need to open up ports to allow uploading files and to remotely log in to your server over SSH or RDP.

If you are allowing files to be uploaded from the Internet only use secure transport methods to your server such as SFTP or SSH.

If possible have your database running on a different server to that of your web server. Doing this means the database server cannot be accessed directly from the outside world, only your web server can access it, minimising the risk of your data being exposed.

Finally, don’t forget about restricting physical access to your server.

08. HTTPS

HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees to users that they’re talking to the server they expect, and that nobody else can intercept or change the content they’re seeing in transit.

If you have anything that your users might want private, it’s highly advisable to use only HTTPS to deliver it. That of course means credit card and login pages (and the URLs they submit to) but typically far more of your site too. A login form will often set a cookie for example, which is sent with every other request to your site that a logged in user makes, and is used to authenticate those requests. An attacker stealing this would be able to perfectly imitate a user and take over their login session. To defeat these kind of attacks, you almost always want to use HTTPS for your entire site.

That’s no longer as tricky or expensive as it once was though. Let’s Encrypt provides totally free and automated certificates, which you’ll need to enable HTTPS, and there are existing community tools available for a wide range of common platforms and frameworks to automatically set this up for you.

Notably Google have announced that they will boost you up in the search rankings if you use HTTPS, giving this an SEO benefit too. There’s a stick to go with that carrot though: Chrome and other browsers are planning to put bigger and bigger warnings on every site that doesn’t do this, starting from January 2017. Insecure HTTP is on its way out, and now’s the time to upgrade.

Already using HTTPS everywhere? Go further and look at setting up HTTP Strict Transport Security (HSTS), an easy header you can add to your server responses to disallow insecure HTTP for your entire domain.

09. Website security tools

Once you think you have done all you can then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.

There are many commercial and free products to assist you with this. They work on a similar basis to scripts hackers will use in that they test all know exploits and attempt to compromise your site using some of the previous mentioned methods such as SQL injection.

Recommended Posts

Leave a Comment

Start typing and press Enter to search