10 Ways to Keep Your Website Secure banner

10 Ways to Keep Your Website Secure

10 Ways to Keep Your Website Secure by Market Action Research
(Last Modified: )

Websites are compromised all the time. Security breaches can cause many headaches with repercussions including but not limited to: total annihilation of your web site, data loss, unauthorized information leaks, and potentially legal action from your visitors if found negligent. A majority of security breaches is primarily intended to to steal your data or deface your website, but sometimes there may be attempts to use your server as an email relay for spam, or to setup a temporary web server, and sometimes serve files of an illegal nature. Hacking is regularly performed by automated scripts written to scour the Internet in order to exploit known security issues in software. Here are our Top 10 Tips to help keep you and your site safe online:


Websites are compromised all the time. Security breaches can cause many headaches with repercussions including but not limited to: total annihilation of your web site, data loss, unauthorized information leaks, and potentially legal action from your visitors if found negligent. A majority of security breaches is primarily intended to to steal your data or deface your website, but sometimes there may be attempts to use your server as an email relay for spam, or to setup a temporary web server, and sometimes serve files of an illegal nature. Hacking is regularly performed by automated scripts written to scour the Internet in order to exploit known security issues in software. Here are our Top 10 Tips to help keep you and your site safe online:

1. Keep software up to date

Ensuring you keep all software up to date is fundamental in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. Hackers are quick to attempt to abuse security holes that are found in software.

If you are using a managed hosting solution then you may not need to worry so much about applying security updates for the operating system, as some hosting companies take care of this.

2. SQL injection

SQL injection attacks are when the hacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to accidentally insert rogue code into your query which could cause damage by altering data tables, getting the wrong information, or even deleting the data. You can easily prevent this by always using specific parameters in queries, most web languages have this feature and it is easy to implement.

3. XSS

Cross-Site Scripting is when an attacker tries to pass in JavaScript or other scripting code into a web form so that they can run malicious code to take unauthorized information from the visitors of your site. When creating a form, always ensure that you check the data being submitted and encode or strip out any HTML.

4. Error messages

Be careful with how much information you give away in your error messages. Just remember, less is more! For example if you have a login form on your website you should think about the language you use to communicate failure when attempting logins. You should use generic messages like “Incorrect username or password” as not to specify when a user got half of the answer right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field.

5. Server side validation & form validation

Validation should always be done on the browser and server. The browser can catch straightforward failures, such as: required fields that are empty and when you enter text into a numbers only field. However, these can be bypassed by a hacker. Make sure you check for these validations and further validation on the server side. Forgetting to check this could lead to malicious code being inserted into your database which may lead to less than desirable outcomes in your site.

6. Passwords

It is crucial to use strong passwords for your server and website admin area. We recommend that your users employ good password practices to protect the security of their accounts as well. Enforcing password requirements – like having a minimum amount of characters, including an uppercase letter and number -will help to protect their accounts in the long term. It is also very beneficial to be changing your passwords every few months.

7. File uploads

Allowing your users to upload files to your site can be a big security risk, even if it’s simply to change profile pictures. The risk is that any file uploaded could contain a script that, when executed on your server, completely opens up your website.

Treat all files as suspicious. If you are allowing users to upload images, you cannot rely on the file extensions to verify that the file is an image as these can easily be faked. Even opening the file and reading the header or using functions to check the image size are not fool-proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.

Ultimately, we recommend preventing direct access to uploaded files all together. This way, any files uploaded to your website are stored in a folder outside of the webroot or in the database.

8. Server security

Ensure your server has a firewall setup, and remember to block all non essential ports. If you allow files to be uploaded from the Internet, that we suggest you only use secure transport methods to your server such as SFTP or SSH.

If possible, have your database running on a different server than your web server. Doing this means the database server cannot be accessed directly from the outside world, only your web server can access it, which minimizes the risk of your web server data being exposed. Lastly, don’t forget about restricting physical access to your server!

9.SSL

SSL encryption is a protocol used to provide security over the Internet. It is a good idea to use a security certificate whenever you are processing personal information between the website and web server or database (i.e. names, addresses, cc info, etc). Hackers can “sniff” for this information; if the medium is not secure, they could capture it and use this information to gain access to user accounts, personal data, and much more.

10. Security tools

Once you think you have done all you can to secure your website, then it’s time to test your security. The most effective way of doing this is through the use of some security tools, often referred to as penetration testing or pen testing for short.

There are many commercial and free products to assist you with this. They work on a similar basis to the scripts that hackers use in that they test all known exploits and attempt to compromise your site using some of the previous mentioned methods (such as SQL injection).

Looking to make your website more secure? Contact our team today!


Originally Published: