The Basics of Website Security

You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature.

Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software.

1. Keep software up to date

2. Passwords

3. File uploads

4. SSL

5. Back up your Web Site Often

1. Keep software up to date

It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS(content management system)  or forum. When website security holes are found in software, hackers are quick to attempt to abuse them.

If you are using a managed hosting solution then you don’t need to worry so much about applying security updates for the operating system as the hosting company should take care of this.

If you are using third-party software on your website such as a CMS(content management system)  or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS(Rich Site Summary) feed detailing any website security issues. WordPress, Umbraco, Joomla, Drupal and many other CMSes(content management system)  notify you of available system updates when you log in.

2. Passwords

Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.

As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run.

  • Don’t use common words for passwords like love, god, pass, admin, admin123, etc.
  • Avoid personal information in passwords like your personal or family name.
  • Avoid password generators. Password generators use algorithms to generate the passwords which can be compromised by an attacker.
  • Use as many special characters ( *!@#)$ ), numbers and capital letters in your password as possible.

3. File uploads

Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded however innocent it may look, could contain a script that when executed on your server completely opens up your website.

If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not full proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.

So what can you do to prevent this? Ultimately you want to stop users from being able to execute any file they upload. By default web servers won’t attempt to execute files with image extensions, but it isn’t recommended to rely solely on checking the file extension as a file with the name image.jpg.php has been known to get through.

Ultimately, the recommended solution is to prevent direct access to uploaded files all together. This way, any files uploaded to your website are stored in a folder outside of the webroot or in the database as a blob

Most hosting providers deal with the server configuration for you, but if you are hosting your website on your own server then there are few things you will want to check.

Ensure you have a firewall setup, and are blocking all non essential ports. If possible setting up a DMZ (Demilitarised Zone) only allowing access to port 80 and 443 from the outside world. Although this might not be possible if you don’t have access to your server from an internal network as you would need to open up ports to allow uploading files and to remotely log in to your server over SSH(Secure Shell) or RDP(Remote Desktop Protocol).

If you are allowing files to be uploaded from the Internet only use secure transport methods to your server such as SFTP(Secure File Transfer Protocol) or SSH(Secure Shell).

If possible have your database running on a different server to that of your web server. Doing this means the database server cannot be accessed directly from the outside world, only your web server can access it, minimising the risk of your data being exposed.

Finally, don’t forget about restricting physical access to your server.

4.SSL

SSL(Secure Sockets Layer) is a protocol used to provide security over the Internet. It is a good idea to use a security certificate whenever you are passing personal information between the website and web server or database. Attackers could sniff for this information and if the communication medium is not secure could capture it and use this information to gain access to user accounts and personal data.

5. Back up your Web Site Often

It is essential to backup your web site as often as possible. You should always keep a backup copy of your web site files and database on your local computer just in case something happens.

Having a backup of your website is essential. There are many bad things that could happen to your site – an extension can malfunction, some of your code can break or even your site can get hacked. In such cases a recent backup of your web site can be a life saver.

Hopefully these tips will help keep your site and information safe. Thankfully most CMSs(content management system) have a lot of inbuilt website security features, but it is a still a good idea to have knowledge of the most common security exploits so you can ensure you are covered.

Stan Reed
Stan Reed

8 years of working with non profit organizations and over 30 years of programming knowledge