The well-knownsaying “for want of a nail” also applies to the topic of websites security. After all, when it comes to protecting your website, small things canoften make a huge difference. With the recent spike of cyber-attacks all website owners should take these into consideration, as even the smallest of sites can become a target - hijacked, defaced or injected with malware during the next mass scale campaign.
With this in mind, here is a list of things that will help you keep your website safe from hackers.
1. Using Strong Passwords
A couple or so years ago, researchers from the University of Cambridge came up with the finding that week implementation of password-based authentication and poor password practices are the main reasons why websites get attacked. It is indeed amazing that people use passwords which are easy to guess. Examples of these passwords are:
- Using numbers in serial order
- Keeping the name of the individual as the password
- Obvious passwords such as “bankaccount” for an online banking account
2. Using SSL is a Good Idea
SSL or Secure Sockets Layer is a security protocol that goes a long way in helping a website handle private information. SSL is based on a cryptographic system that works on using a private key and a public key.
SSL is probably the best way in which it client and a server can create a secure connection between themselves. This secure connection enables the transmission of data safely. Another protocol that is in wide use is something known as Secure HTTP or S-HTTP. Depending on the scale of operations, you should consider going in for paid security certificate.
3. Using Web Application Firewall
One of the most effective ways in which you can secure your website is to go in for an industry leading solution as far as WAFs or Web Application Firewalls are concerned. One of the ways in which hackers target websites is with the use of malicious bots - automated visitors who can crawl through thousands of sites at a time, detecting and exploiting existing vulnerabilities.
With effective web application firewalls, your website will be able to protect itself from these malicious bots while also securing yourself against targeted code-based attacks (SQLI, XSS, etc). Probably the best name in this space is Incapsula, a website security firm that provides this technology for affordable mid-market prices.
What makes Incapsula solution stand out (besides its pricing) is the fact that it brings together CDN and WAF. This makes it possible for a website to enjoy even more robust PCI certified security from hackers and spammers, while also benefiting from CDN related improvement to site’s load speeds. Because it’s all cloud-based, activating thisWeb Application Firewall is rather easily, requiring no prior knowledge and only few minutes of you time.
4. Using Secured FTP Access
FTP or File Transfer Protocol is a standard network protocol. This is created on a client server architecture. Such a protocol helps to transfer files between hosts in a secure manner. The usage of FTP can go a long way in securing your website from hackers. Some of the ways in which you can deploy FTP include:
- Regulating access to your FTP directory
- Enabling disk quotas
- Auditing account logon events
One of the easiest and yet often overlooked aspect of website security is keeping your software updated. This is critical for your security software as well as for you CMS (Word Press, Joomla, etc) and your various plugins.
All operating systems and web applications have vulnerabilities. However, manufacturers constantly work to create software patches and these are available only in new versions. Therefore, you must go in for updated software. You can choose to do it automatically or schedule an update for particular periods of time. Experts advise that your firewall, anti spyware and anti virus software be set to automatic updating.
6. Backup Your Data
Data security is a big deal for every business organization. Regardless of the kind of method you use, backing up your data is an extremely critical aspect of your online presence. There are plenty of companies that offer up-to-date and cutting-edge technology when it comes to taking backups of your data. You can always go in for a combination of computer-based or online backup of your data. Given the rise of technologies such as cloud computing, synchronizing your important files and storing them in the cloud is easily done.
7. Input Sanitization To Keep Your Website Safe
Hackers often exploit code-based vulnerabilities in order to gain access to websites. Perhaps one of the biggest such vulnerability is in adequate input sanitization. But, when you have robust input validation or sanitization processes in place, you can prevent code injections such as XSS (or Cross Site Scripting), RFI or remote file inclusion, the very common SQL injectionsand more.
8. It is Necessary To Restrict File Uploads
Some websites need to allow file uploads by users. However, it can be exploited by hackers. Therefore, in order to prevent your website from falling prey to hackers, it is extremely necessary for you to restrict file uploads. Some of the ways in which you can implement secure file uploading processes are:
- Setting a maximum limit as far as file size and file numbers is concerned,
- Exercising massive control over permissions, especially the ‘execute permissions’ as far as your web server is concerned
- Storing file uploads in a directory which is outside of your document root.
Even in physical establishments, validation processes by way of passcodes, biometric sensors or even passwords that are exchanged between individuals becomes simple and yet strong ways to enhance security. Similarly, your website security can be greatly enhanced by going in for the right kind of security validation processes. It is also vital that the validation process be done from both the server and the browser’s points of view.
10. Paying Attention To Error Messages
Hackers will use every possible aspect of a website in order to gain ingress. Error messages are capable of giving a lot of information to a hacker. This may come as a surprise but stating that the password is wrong, gives a hacker the clue that the user name is correct and now he simply has to check out possible combinations and hit upon the right password. Therefore, keeping your error message generic is a very good idea. Something like “invalid credentials” is a far better idea than telling a hacker that either the password or the user name is invalid.