Lawrence Arabia, Negosentro | Websites are hacked all the time. Hackers have numerous nefarious reasons to hack websites including stealing data, defacing the website or turning its server into an email relay for spam or for storage of illegal files. As such, size and function of a website do not matter to hackers. The popular belief that hackers only target large ecommerce sites could actually be a lie propagated by hackers to create laxity in web owners running small websites.
Building a website costs good money and takes time so having it hacked can be heartbreaking. When you launch a website, you want to attract many customers while keeping out the website vandals. This is a tough balancing act. Failure to do either and your online business will fail. To secure your website and keep hackers at bay, you can perform a few fundamental actions. These include the following:
- Acquire an SSL certificate for your website
Hypertext Transfer Protocol (HTTP) is not secure in its natural form. It makes it easy for hackers to intercept sensitive information like usernames, passwords or credit card information as it moves from the browser to the server. You need an SSL certificate to secure that protocol.
When a browser requests your website, it receives the SSL certificate from your server. If the browser and server trusts your SSL certificate, an encrypted session will be initiated that will ensure secure communication between browser and server.
SSL certificates offer different levels of security and can be bought at different price points. If you want to save time and money by using a single SSL certificate to secure your domain and an unlimited number of subdomains, you should obtain a wildcard SSL Certificate.
- Update everything regularly and do regular cleanups of unused and outdated plugins
You must make sure that every piece of software on your website is up to date whether you’ve built your website from scratch or on a third party platform. CMS providers like WordPress or Joomla regularly update their systems to plug any holes in the system. Make sure you always install these updates and have the most recent software version supporting your site.
Plugins are meant to enhance the functionality of your website but before you install any, find out what it does and whether you need it. Plugins such as Wordfence for WordPress websites scan your website for issues and provide a firewall to block threats in real time. Some other plugins fall into disuse with time and provide gateways for hackers to infiltrate your site. Make sure you perform regular cleanups to wipe out such.
- Have strong password policies
Brute force and dictionary attacks work by guessing username/password combinations. You can secure your site from these by using strong passwords. Strong passwords are important for securing your email, website server, database, admin account and financial transactions.
A strong password should be at least 12 characters long and a combination of alphanumeric characters, symbols and upper and lower case letters. Each log in should have its own unique password and these should be changed regularly. With password managers, you do not have to write down or commit to memory all your complicated passwords. They can safely store all your passwords.
- Limit your file permissions preferably reserving all rights to the admin alone
A website is made up of a series of files and folders stored on a web hosting account. A set of permissions is assigned to each of these files and folders to control who can read, write and execute anything on them relative to the user they are. Ideally, the ‘admin’ has permissions to read, write and execute all files and folders. However, access can also be given to other groups of users. This must be done with careful consideration not to create a security risk since a file that gives many users the ability to write and execute is less secure than one that has been locked down.
- Control your website inputs to prevent SQL injections and XXS attacks
Make sure that your website users cannot inject active JavaScript content into your pages. Hackers often slip malicious JavaScript code on your pages, which infect the pages of any visitor to your site that is exposed to the code. This technique is referred to as cross-site scripting (XXS) and attackers use it to steal the login cookies of your users and take control of their accounts.
Similar to XXS attacks is SQL injection whereby attackers use a URL parameter or web form on your website to hack into your database. The hackers can then steal or delete sensitive information from your database.
You can use parameterized queries to make sure your code has very specific parameters so that there is no room for a hacker to add additional queries to it. This feature is easy to implement on most web languages and it should protect you from both XXS attacks and SQL injections. Crafting Content Security Policy (CSP) headers can also protect your site from XXS. It simply entails adding a HTTP header to your webpage that directs the browser on the domains that are ok and exceptions to the rule.
- Conduct penetration testing Website security tools
Once you think that your website security can withstand hacking attempts, it is time to put it to the test. Employing the services of “white hat hackers” might be too expensive for small website owners, so the next best thing is using some website security tools. Like hackers, they use scripts to test all known vulnerabilities and attempt to compromise your site’s security. Results from these automated tests present potential issues in your website security, their explanation and their threat level. Many tools are available to assist you with this both commercial and freeware.
- Backup your website data frequently
In the event of a breach, you stand to lose everything that is on your website. All the data you have accumulated for a long time can disappear just like that. Sometimes, it is almost impossible to recover from such loss. That is why you should always back up everything regularly preferably to an external hard drive that is no connected to the internet. If your security measures fail, you can always get your website back up and running within the shortest time.
