I Hate Hackers
Was your website hacked in between 2020 to 2022?
Well your not alone during the pandemic hackers sent out millions of virus injections across the internet. This affected 80% of the websites online. Most of the hacked data was unrecoverable and companies lost millions of dollars in revenue do to website downtime. But as you can image this hack had the most affect on small businesses that didn’t know how to protect their website.
Do you know how to protect your website from hackers?
01. Keep software and plug-ins up to date
It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them.
02. Watch out for SQL injection
SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterised queries, most web languages have this feature and it is easy to implement. Hackers inject these codes into you contact form, subscribe and login buttons.
03. Use HTTPS
HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees that users are talking to the server they expect, and that nobody else can intercept or change the content they’re seeing in transit.
If you have anything that your users might want private, it’s highly advisable to use only HTTPS to deliver it. That of course means credit card and login pages (and the URLs they submit to) but typically far more of your site too. A login form will often set a cookie for example, which is sent with every other request to your site that a logged-in user makes, and is used to authenticate those requests. An attacker stealing this would be able to perfectly imitate a user and take over their login session. To defeat these kind of attacks, you almost always want to use HTTPS for your entire site.
That’s no longer as tricky or expensive as it once was. Let’s Encrypt(opens in new tab) provides totally free and automated certificates, which you’ll need to enable HTTPS, and there are existing community tools available for a wide range of common platforms and frameworks to automatically set this up for you.
Notably Google have announced that they will boost you up in the search rankings if you use HTTPS, giving this an SEO benefit too. Insecure HTTP is on its way out, and now’s the time to upgrade.
Already using HTTPS everywhere? Go further and look at setting up HTTP Strict Transport Security (HSTS), an easy header you can add to your server responses to disallow insecure HTTP for your entire domain.
04. Get website security tools
Once you think you have done all you can then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.
There are many commercial and free products to assist you with this. They work on a similar basis to scripts hackers in that they test all know exploits and attempt to compromise your site using some of the previous mentioned methods such as SQL Injection.
Some free tools that are worth looking at:
- Netsparker(opens in new tab) (Free community edition and trial version available). Good for testing SQL injection and XSS
- OpenVAS(opens in new tab) Claims to be the most advanced open source security scanner. Good for testing known vulnerabilities, currently scans over 25,000. But it can be difficult to setup and requires a OpenVAS server to be installed which only runs on *nix. OpenVAS is fork of a Nessus(opens in new tab) (opens in new tab)before it became a closed-source commercial product.
- SecurityHeaders.io(opens in new tab) (free online check). A tool to quickly report which security headers mentioned above (such as CSP and HSTS) a domain has enabled and correctly configured.
- Xenotix XSS Exploit Framework(opens in new tab) A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.
The results from automated tests can be daunting, as they present a wealth of potential issues. The important thing is to focus on the critical issues first. Each issue reported normally comes with a good explanation of the potential vulnerability. You will probably find that some of the medium/low issues aren’t a concern for your site.
One of my favorite Website security tool is Wordfence. The free version works really well.
Some of the content included in this blog was written by https://www.creativebloq.com/web-design/website-security-tips-protect-your-site-7122853 please visit to review the full blog post.