Finally launching your own website live is a big step to reaching success both for businesses and private individuals. Your website is your brand’s identity on the web. You reach unprecedented number of people with your site more than traditional media can provide. As such it delivers a slew of benefits that only going online can give. Indeed your website is a precious asset that you’d want to maintain and improve.
Sure you don’t want to find your website altered or wiped out by villainous hackers. To prevent website hackers from getting a hand on your website, follow these 7 best practices in keeping your website secure.
Fortify Your Access Control
Strengthening your access control by employing encrypted passwords and uncrackable usernames is one of the most basic way to keep hackers away. But this is often the number one vulnerability found in the admin level. Good password hygiene should be a given in your quest to protect your website from hackers:
- Should be longer than 8 characters
- Include numerical values and capital letters
- Do not send password reset to email
- Do not reuse passwords
For extra protection, it’s best to encrypt your passwords when storing it. This is done by salting your passwords with hashing algorithm. Salted password hashing is your best protection when storing passwords as the hash algorithm turns any data, in this case your password, into a fixed-length code. Decrypting this code is near impossible. So in case a hacker got a hold on your user credentials you’d be sure that s/he will not find it useful.
Make Sure You’re Up-to-Date
Another oft-overlooked best practice in keeping high security is to update everything whenever available. Be quick to update your server OS and any third party plug-ins, platforms and scripts, more importantly when the system or software update is due to security vulnerability. If software companies released updates because they detected loopholes, it’s most likely that hackers are in the know and are already scanning thousands of websites to look for this vulnerability. But those who use managed hosting solution, many of these updates should be under the care of the hosting company.
Mind Your Network Security
Keep a close watch on the computers and devices connected to your network so you’d be sure that no malicious bots are slipping into your network that can hack through your website. Especially today with the advent of BYOD (bring your own device), you’ve got to be sure that all devices connected into your network are scanned for possible malware contamination.
One way to combat hacker intrusion is to keep a web application firewall (WAF) to filter every bit of data passing through your network. Your network operations center can set up WAFs to protect against spammers, malicious bots, malware etc., by filtering all incoming traffic.
Be Strict with File Uploads
Users may inadvertently upload files to your website that could script that may allow hackers to freely access your site’s data. For instance, image formats may contain a comment section with PHP code that your server can execute. Hence it is crucial to treat all user’s uploads with great care. Store them in a storage outside the root directory and avoid direct access to these files. If you need to access them, use a script to fetch them safely.
Use Content Security Policy (CSP)
An XSS (cross-site scripting) attack is one of the most common and dangerous problems among webmasters. XSS attacks turn your website as tentacles that hackers use to spread their reach among your website visitors. They do this by injecting a string of code through the contact form or the comment section. This code will then make its way to your website and turn it into a malware vector. The next thing you know, hackers are stealing sensitive information like log-in details and financial information from your users.
One way to combat this attack is by using Content Security Policy or CSP header which limits what Javascript the browser should consider to execute. This restriction will cripple the attacker’s script even when it’s already in your website.
Avoid SQL Injections
SQL injection is one of the oldest method of attack and thus your website should have been protected enough from it. Like XSS, SQL injection is a code injection technique that enables attackers to slip into your database to steal confidential and important data or information. SQL injection operates by inserting a code into your website e.i. through web forms in order to reach your SQL-based database and thereby compromise your authentication-authorization system. When this code gets into your database, the attacker can now extract your entire database.
Fighting this attack is pretty straightforward and simple. All you have to do is to use parameterized queries. SQL parameters for data access ensures that hackers won’t be able to execute their injected script.
Author Bio:
Darrell Smith is a data / cybersecurity news junkie. He spends most of his time surfing the web for the latest data and network operations center trends. He also shares his recent findings through his articles and other blog posts.