Web security fact: The majority of website security breaches are not to steal your data or mess with your website layout, but instead attempts to use your server as an email relay for spam, or to set up a temporary web server, normally to serve files of an illegal nature.
We live in an era where website security is no longer an option. The process of protecting website from hackers has been a day to day task for website owners regardless the size of their website. You may not think your site has anything worth being hacked for, but websites are compromised all the time.
Here are the top 10 tips to help protect website from hackers.
1. Keep website software up to date
Keeping all your website software and scripts up to date is an important part of keeping website safe from hackers. Most of the website owners are using shared web hosting and it is common to have website security holes found in software and scripts such as WordPress CMS. Keeping these updated in a timely manner will prevent website hackers from abusing them.
2. SQL injection can cripple your website
SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterised queries, most web languages have this feature and it is easy to implement.
Consider this query:
"SELECT * FROM table WHERE column = '" + parameter + "';"
If an attacker changed the URL parameter to pass in ' or '1'='1 this will cause the query to look like this:
"SELECT * FROM table WHERE column = '' OR '1'='1';"
Since '1' is equal to '1' this will allow the attacker to add an additional query to the end of the SQL statement which will also be executed.
You could fix this query by explicitly parameterising it. For example, if you're using MySQLi in PHP this should become:
$stmt = $pdo->prepare('SELECT * FROM table WHERE column = :value'); $stmt->execute(array('value' => $parameter));
Fixing your MySQL database can be challenging especially when for beginners and website owners who don't know much about coding. If this bothers you a lot, having your website hosted on managed hosting services is a much safer option (and less stress too).
3. Protect your websites against XSS attacks
Take a look at this video for more information:
The solution here is to focus on how your user-generated content could escape the bounds you expect and be interpreted by the browser as something other that what you intended. This is similar to defending against SQL injection. When dynamically generating HTML, use functions that explicitly make the changes you're looking for (e.g. use element.setAttribute and element.textContent, which will be automatically escaped by the browser, rather than setting element.innerHTML by hand), or use functions in your templating tool that automatically do appropriate escaping, rather than concatenating strings or setting raw HTML content.
4. Error messages may be traps
Traps are often laid out by the hackers and if you are reckless, you are going to fall into the trap.
In all cases, never provide full exception details as they can be used to create complex attacks such as SQL injection much easier for the hackers.
Information from the server log should be shown and shared only with the relevant parties which you are well aware of.
5. Use strong(er) password or password manager
Complex and strong passwords are important for website security. Common passwords such as '123456', 'admin' and 'password' should be avoided at all times.
You can also protect website from hackers by using different passwords for different websites.In the case of security breach, other websites sharing the same password will not be affected.
Finding hard to remember passwords?
Use password manager such as LastPass to create and store passwords for multiple websites will go a long way!
WordPress users can protect website from hackers by installing two-authentication factor such as Keyy which is free to use.
6. sFTP vs FTP
When uploading files to your server, using sFTP is a safer choice and should be the only option that you use. Most web hosting companies offer both FTP and sFTP login, and in the case where they don't offer sFTP services, you should literally change host. Here's a list of WordPress hosting providers you can choose from.
Are you an Indian national or looking for affordable and recommended web hosting in India? Click here to find the best web hosting service provider in India.
7. Avoid using nulled themes and plugins
One of the best ways to protect website from hackers is to avoid using nulled themes and plugins. In other words, avoid cracked versions as they bring no good especially in the website security matters.
When it comes to installing themes and plugins to websites, make sure you download them from the original source. Hackers could inject virus and malicious codes into these themes and plugins, and unsuspecting website owners are going to (literally) open doors for the hackers to access the website.
8. Use security plugins
You can also protect website from hackers by installing security plugins to strength the core of your website. If you are using WordPress, security plugins such as iThemes and All In One Security and Firewall are great options to secure your site from intruders.
Setting up these security plugins are always easy and pretty straightforward. You can also refer to this guide for more information.
9. Choose the right web hosting company
Most web hosting companies are focused in making money fast and indirectly, putting aside website security. The process of protecting website from hackers is a two-way task where both the website owner and web hosting company must play their roles.
When you are choosing a web hosting service, focus in asking questions such as security scanning, number of backups, location of the backups and other security questions to help you make the right decision.
Always remember that cheap web hosting service may oftentimes offer much lower quality security layers to protect website from hackers.
Recommended shared web hosting services that protect website from hackers:
Recommended managed hosting services for high traffic websites (and protect websites from hackers):
10. Enable CloudFlare for protection
If you are looking for ways to protect website from hackers, CloudFlare is a great free and premium option. Integrating CloudFlare to your website will strengthen the overall security level of the site and protect it from online attacks such as DDoS attacks.
Apart from protecting your site, CloudFlare is also a great tool to speed up your website loading speed. CloudFlare offers Content Delivery Network (what is a CDN?) services that deliver static files in datacenters all around the world to your website visitors. This allows your website to load faster and improving the visitor's overall browsing experience.
To-Do: Protect Website From Hackers Now
One question you need to ask before leaving this page (or head to the next article) is this: Are you doing enough to protect website from hackers?
Take action to protect your website right now and it is never too late to do so. Afterall, it is always better to safe than sorry!