, ,

Worried about the security of your website? Here are some tips for making it stronger.

Your website could be an easy target for cyber attacks. Something as innocent looking as a plug-in could infect your site with malware or give hackers an open door to your web content, or even worse, your entire network.

The key to protecting your website is knowledge — knowing where you have vulnerabilities that hackers can exploit. Once you know your risks, you can implement better security practices to plug the holes. It all comes down to the way you set up your website, the quality of your coding and how you interact with your installation.

To help you out, we’ve created a Knowledge Base (KB) article with recommendations for fixing the most common vulnerabilities and avoiding security pitfalls – we’ve highlighted just a few below:

  • Watch out for vulnerable plug-ins. Never install plug-ins or themes from unreliable sources. With a quick visit to your favorite search engine, you can research if a desired or already installed plug-in or theme is known to be vulnerable or not actively maintained anymore. If this is the case, there is a high likelihood that there is exploit code already available on the Internet. If you find vulnerable plug-ins or themes in your installation, you should remove them. This is an easy way for a hacker to compromise your website.
  • Have input validation programmed into your code. Whenever a visitor on your website is asked to enter something into a HTML field (like name, address or email) you want to make sure that these input fields only allow certain characters to be entered. You shouldn’t allow any unnecessary characters like double quote (“), colon (:), semi-colon (;), plus sign (+), curly brackets ({}) or similar. A single quote (‘) might be okay for the name field, but not for the field where you enter a phone number. For characters you can’t exclude from certain fields, you should escape or encode those on the web server before processing. If you just allow those kind of characters to be used in any field, those characters can be misused in so-called SQL injection attempts, to manipulate or read information from your database.
  • Review your log files. Web and FTP access logs, as well as the error logs of your web server, contain a lot of information. This is the first place to look for suspicious behavior on your website. With a little programming, you can extract exactly what you are looking for. You should check for larger amounts of failed login attempts or consecutive HTTP POST requests made to your website in a short period of time. If you are a CMS user, look for failed attempts to access the admin portal. These are usually very good indicators of hacking attempts.
  • Have it tested. Professional penetration testing firms can offer a great deal of value when it comes to the security of your site. They know the latest tools and techniques that hackers are using to compromise web applications and can offer excellent feedback and perspective on the security of your application.

Want to learn more?

Check out the Open Web Application Security Project (OWASP) website to learn more about the OWASP Top Ten. The OWASP Top Ten offers a powerful awareness document for web application security and represents a broad consensus about the most critical web application security flaws. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

We urge all companies to adopt this awareness document and start the process of ensuring that their web applications do not contain these flaws.

Following those recommendations doesn’t mean that your website will never be attacked. The Internet makes it  easy for hackers to find new tools that are constantly evolving, which makes it difficult to defend your website. Keeping these tips in mind, however, you can significantly reduce the possibility of becoming an easy target. For more tips and tricks, read our KB article on securing your website.

Like this resource? See more like it in our Resource Center

About Ryan Barrett

Ryan is Intermedia's Vice President for Security and Privacy.