"Who would want to hack me?" You think to yourself. "There's nothing on my website that hackers would want. Right?"
Wrong.
The majority of website hacking isn't done to get at your data but rather to set up a temporary web server for files of an illegal nature or to use your server as an email relay for spam. They may also hit you with ransomware and use your server to mine bitcoins or as part of a botnet.
Hacking is generally done by automated scripts designed to scour the internet looking for ways to exploit website security issues in software. To keep your website safe, follow these five tips for protecting your website from hackers.
- Use Secure Hosting
Unfortunately, not all hosts are secure. Secure hosting refers to web hosts that are explicitly designed to protect a website and its visitors from cyberattacks. This means that the host will take steps to protect the server physically and virtually. From a virtual standpoint, this means providing security such as DDoS and SSL certificates.
If you choose managed hosting, you won't have to worry about security updates as the hosting provider will take care of this for you. However, if your hosting is unmanaged, it will be your responsibility to ensure your security is up to date. To do this, you need to ensure that all your software is up to date. This means updating both the server operating system and any software you're running on your websites like a CMS or forum. Hackers are quick to abuse website security holes in software, so be diligent. Make sure you're subscribed to a notification service regarding software vulnerabilities so you can apply patches as soon as possible.
- Protect Against XSS Attacks
An XSS attack or cross-site scripting attack is when a hacker inserts malicious JavaScript into your pages, which then runs on your users' browsers, changing page content or stealing information. For example, if you display comments on a page without validation, a hacker could submit a comment that contains JavaScript and script tags. These will run in a user's browser, stealing their login cookie and giving the hacker access to the account of every user who viewed the comment. Therefore, you must protect your pages so that users can't insert JavaScript content.
You must look at how your user-generated content could be used and interpreted by the browser as something other than what you'd intended. Therefore, when you're dynamically generating HTML, you need to use functions that will make exactly the changes you want. For example, you should use element.setAttribute and element.textContent, which will be escaped automatically by the browser, instead of setting element.innerHTML by hand. You could also use functions in your templating tool to do appropriate escaping automatically instead of concatenating strings or setting raw HTML content.
- Don't Provide too Much Information in Your Error Messages
When setting up error messages for your users, you need to be wary of how much information you're giving out. You should only provide minimal errors to your users to make sure they don't leak secrets like API keys or database passwords. You also need to ensure that you don't give out full exception details either. These can make it easier for hackers to perform an SQL injection. In sum, only show users the information they need and keep detailed error information in your server logs.
- Validate on the Browser and Server Side
It's important that when you validate, you do so on the browser and server-side. This is because the browser can catch simple failures like mandatory fields that are left blank and text entered into a numbers only field. Unfortunately, these can be bypassed, so you need to have validation on the server-side. Failure to do this could result in undesirable results on your site or malicious code or scripting code being injected into your database.
- Require Strong Passwords and Store Passwords as Encrypted Values
It seems obvious, but you need to use complex passwords. However, not all users will do this, so you need to enforce password requirements. This means requiring a minimum password length of eight characters, including a number and an uppercase letter. Furthermore, you need to store your passwords as encrypted values, preferably with a one-way hashing algorithm such as SHA. This method ensures that when you authenticate users, you're only comparing encrypted values. Additionally, for extra security, you should salt passwords with a new salt per password.
Luckily, a lot of CMS' offers out-of-the-box user management that includes these website security features. However, some configuration or extra modules might be needed to use salted passwords or to require minimum password strength.
Summary
Your site is a valuable commodity to hackers. Therefore you need to protect it. There are a lot of security measures you can take, but the most important are:
● Using a secure host,
● Protecting against XSS attacks,
● Keeping your error message information to a minimum,
● Validating on both the site and server-side, and
● Requiring strong passwords and storing passwords as encrypted values.
If you do all these things, you can rest assured that your website is secure.