The Web is not just about business. Billions of pages and blog entries are written every day, every second, by small website owners and bloggers looking to share their views with the world. That’s the charm of the Web: it provides a space for everyone, and for any kind of project.
But the Internet is also a wild jungle: it hides dangers at every corner and nothing you make use of is even merely close to foolproof magic. If you run a non-profit or a solopreneur business online, in particular, you realize that moving all transactions to the Web can translate into extra caution in regard of your services.
Security is a truly crucial aspect to take in consideration when you plan your website: how can I secure my content and hard work against attackers? How can I provide the best possible user experience? These are questions you should ask yourself every time you update your website.
Why This Article and Why 7 Tips
Securing your site in an easy, n00b-ish way can be more utopia than reality, but that doesn’t mean someone who’s not a programmer or a computer scientist can’t add some security to their website. I chose seven tips that are both easy to apply and in-depth enough to tickle your curiosity on security issues, so that YOU will become — slowly but relentlessly — your own web security expert. All tips are specific to web hacking and I will also introduce techniques you can use to test your website for security holes. Don’t worry: nothing too hard to do, but it’s important that you become acquainted with the simple tools and techniques that can ward off attacks, for your projects’ sake. :)
Tip #1 — Spend A Little More Mind Power On Your Passwords
Number one web security hole is the use of the same password across more websites/webservices. A hacker that gets to figure out one password will have figured out all your passwords and will have easy access to all of your data, whether it’s your blog or your PayPal account. Keeping a list of your password(s) on paper or file isn’t a safe alternative either (unless you password-protect your files) because someone who hacks your computer will get easy access to your database.
But what if you can’t come up with a decent password?
- Use a strong password generator to generate a hard-to-crack password, inclusive of alphanumeric and alternative symbols. The more random or pseudo-random a string of symbols is (i.e. the password’s symbols have no internal memory, they are unrelated with each other, so every symbol has equal chances to come after another), the safer it is.
- Use Password Safe to save and encrypt all of your passwords, which you can unlock by remembering a passphrase. The program uses the Twofish algorithm to encrypt all passwords Password Safe is a Windows open-source project developed by Bruce Schneier. If you don’t use Windows, Password Gorilla is a valid open-source alternative to Password Safe.
Here’s a front view of Password Safe with a database named ‘Websites’:
Here’s the details of a file inside of the ‘Websites’ database:
Tip #2 — Take Good Care Of Your Scripts
- Read your script’s version document thoroughly: it often contains details on patches and bug fixes
- List to your software installer’s or administration panel’s or even Google’s (through Webmaster Tools) warnings: if you need to update or edit/remove a file, do it
- Don’t install every existing plugin: check compatibilities and security notes first.
Also — and this is perhaps the most important factor — always, always keep your scripts and CMS’s up to date. The latest package of a software usually contains patches for the previous version’s bugs and security issues.
Example: WordPress upgrade warning from Softaculous
Tip #3 — Perform Regular Folder And Administration Panel Checks
Sometimes hackers intrude into your site quietly, sneaky as cats, but they leave disasters behind: site spoofs, media files containing virus, executables and recoded webpages. Check your folders regularly, at least once every two weeks, to make sure nothing’s wrong with your files. Should you spot files you don’t recognize, remove them immediately. If that doesn’t work, contact your web host and get assistance (this is when you need a good web host the most). In such cases:
- Change your administration panel password (and username, if possible)
- Perform a check of all files to see if they have been damaged
- If you have an antivirus installed, run it.
Tip #4 — Secure Authentication
Web Security experts make use of a lot of methods to provide optimal safety to the systems and web transactions they work on: public key cryptography, chains of trust, signatures, SSL and TSL (Transport Layer Security). While you should definitely learn something about cryptography, it’s important that you start with learning how to use simple multi-factor authentication tools readied for you by experts:
Why do you need multi-factor authentication? Because it will take to know your username, password AND your use-once-then-dispose token to gain access to your content; otherwise, access will be denied.
If you can, find an expert to tutor you as you learn about web security, or use online tutorials and courses.
Tip #5 — Beware of DDoS Attacks
Denial of Service attacks are fast-evolving and dangerous, together with server hijacking and the replacement of your services with spoof ones.
A DDoS attack forces the server in a state where its normal services don’t work, and the whole system is no longer available to end users.
What could cause a DDoS attack?
- An open network configuration
- Bugged, non-upgraded applications
- Unsecured server configuration
- No maintenance and/or monitoring of network activity
Inform your ISP about this form of attack and get informed, too. What your website host can do is to configure each server with a list of alternative DNS addresses, so when the default DNS becomes unavailable, the whole website will still work. A hacker can only have success in his actions when he gets to block ALL of the servers on the list — tough job, don’t you think? Another counter-measure can be the filtering of all incoming packets with unusual timings and/or from high-risk IP addresses. Your host should be knowledgeable about Denial of Service attacks, so discuss with them on DDoS prevention.
Tip #6 — Secure FTP Access With SFTP
Nothing changes for you, it works just like normal FTP, but SFTP, or Secure FTP, comes with a lot of benefits, security-wise:
- It uses SSH to encrypt data and commands during file transfer
- It uses the client’s server’s public keys to validate the server upon connection, to ensure it’s not an intermediary
- It makes it impossible to a hacker to listen to your network traffic
The problem with the ‘regular’ FTP command is that it’s not encrypted: all uploads and downloads to and from the server are transmitted as clear data.
To access FTP via command line (if you’re a Unix/Linux/Mac OS user) you can use
sftp [email protected]
or just download a free FTP program that supports SFTP, such as FileZilla (open-source).
Tip #7 — Learn About SQL Injection To Protect Your Site Against It
Beware of this nasty hacking method, keep your scripts up to date and immediately contact the script developer if you run into a security breach. Here’s how to run a simple test:
- Enter the following SQL code into your web form (username and password):
' OR 't'='t'; --
which becomes, at SQL level (see my previous article on SQL database management via phpMyAdmin for reference):
SELECT * FROM users WHERE userid='admin' AND password='' OR 't'='t' ; -- '
- Does it return your database content?
The code might work (I say ‘might’ because you could be lucky to have installed a very safe script) because ‘t’=’t’ is a mathematically true statement, so the SQL request will be always executed. A knowledgeable hacker could construct very elaborate SQL statements to achieve his goals, so make sure to contact the script developer and get assistance if the script you use is easily attackable. Or change script.
BONUS Tip #1 — Regularly Check Your Administration Panel Logs
Your administration panel (cPanel, Plesk, etc.) comes with built-in tools for traffic analysis, access and security logs that you should keep an eye on at least once a week.
If you use cPanel, I recommend you check your Analog Stats tool every two days, as the tool shows detailed reports one:
- HTTP requests
- Monthly/Daily/Hourly reports of traffic activity
- Referrers, Browsers and OS’s your traffic came from
Logs tools are the first your should look into when you believe your website has been attacked.
BONUS Tip #2 — Perform Bi-Weekly Backups
Backup every two weeks, or every week, if you can. With plugins like Online Backup for WordPress, you could even backup every day or every three days. What counts is that you constantly download fresh copies of your content, ready to be restored if something bad happens along the way. This article showed you what kind of attacks your website could undergo, and how to fight and prevent them, but your strongest weapon is really this: Backup. It’s the only way to return your website to its original state, as if a hacker could never play his dirty tricks.
So, what do you need to do, essentially?
- Learn. Knowledge is power! Learn about cryptography, DDoS and SQL Injection, cross-site scripting (XSS) and other types of attacks. Everything and anything that can help you develop a complete sight of what’s going on when your website gets hacked. The more you know, the more you can do to counter-attack.
- Keep up to date. With discoveries, tools and scripts upgrades. This article has stressed the importance of upgrading and updating your site software to ensure a more solid protection against attackers.
- Perform regular checks and backups. If you backup, you can restore!
- Report. When things go out of your control, report issues to script developers, authorities, and your host. They can do what you can’t.
Security Tricks From Software Engineering
Software Engineering is a charming field that every good engineer and computer scientist must learn about to apply when they develop software. But did you know it works the other way round, too? You — the user — can use Software Engineering concepts to make intelligent choices among site software offered to you from developers. You can:
- Understand that a bug can bring to severe hacking of your systems and data loss
- Learn about the 4 dimensions of dependability and use them to your advantage: availability, reliability, safety, and security
- Identify all your possible security concerns: loss of sensitive/important data, failure of certain services, high reconstruction costs (time, money).
What Should You Ask Yourself Before Installing and Using a Script?
DependabilityCan I trust this software?
|Availability||Is the script easily available to me? Is its developer contactable to get help from?|
|Reliability||Does the script perform well? Does it have bugs or give me problems when I perform relevant actions to my goals?|
|Safety||Do malfunctions and bugs severely affect security and performance?|
|Security||Does the software have a built-in security module? Is it something I can manage?|
|Repairability||If something goes wrong, can I manage it?|
|Maintainability||Am I able to maintain this software on my own?|
|Survival||Will the software still work under attack? Can I recover well from the attack?|
Table of Vulnerabilities
|Software||bugs; transparent data transmission; errors; public logs|
|Human||low strength passwords; unprotected directories; disclosure of|
sensitive data; lack of system maintenance and update/upgrade
Resources For Further Reading
In April 2012 SourceForge.net released a white paper about 10 Web Security Tips for its newsletter subscribers, an easy-to-read document you can use to develop further knowledge of the whole web security matter. It contains ten in-depth web security tips, which fueled inspiration to write the article your about to finish reading. Another good resource is Steve Gibson’s overview on password security, a nice introductory article to the secrets behind safe password usage. If you’re interested in Web Security in all its aspects, Google Code put up a wonderful, easy-to-follow online course on the subject. :)