Top Tips to Protect Your Company Website from Hackers – check website security

This is an era of popularity of internet and Web Development Services and billions of people are now using internet and websites to carry out so much of their work and tasks. Even the most important transactions are now happening over the internet. Although an increasingly connected world makes our lives easier but it also brings greater risks as we expose our personal data to cyber criminals or hackers. Security companies are working hard to protect users from hacking activities and viruses but the hackers have devised many ways to steal important data which is then put to misuse. Here we are going to discuss about common ways your website and online data can be stolen and what you you can do to make it safe and protected.

If you have a running website, then you may think that your site doesn’t have any sensitive data which can be hacked and your site is safe but you can read numerous stories nowadays when so many websites have been compromised already and more are at risk. Although so many of the security breaches are to steal your data but in many other cases the hackers do that to use your server or an email relay for spam, or to set up a temporary web server, normally to serve files of an illegal nature.

Although so many people are looking for Web Development Companies but they are also concerned about increased ways to abuse compromised computers which include using your servers as part of a botnet, or to mine for Bitcoins. Some people are even being hit by ransomware. Normally hacking is performed by automated scripts written to disturb the internet and by this the hacker’s intent is to exploit the known website security issues in software. In this article, we are going to discuss about top tips which can help you and your website to remain safe, protected and secure on internet.

This is one of the most easiest thing to do to keep your website safe i.e. to regularly update all of your software for their most recent updates, security patches and fixes. This is applicable for both the server operating system and any software which you may be running on your website like a CMS, Framework or forum. If there are some security holes left in the software then hackers may quickly attempt to exploit them and do harm to your website, its data and its smooth functioning. If you are using a managed hosting, then you don’t’ need to worry so much about the applying security updates for the operating system as this is the responsibility of the hosting company.

If you are a Web Developer and If you are using some CMS, Framework or forum then it is your responsibility to quickly apply any security patches or updates. You can subscribe to the mailing list of the software providers to get instant updates about any website security issues. Many developers also use tools like NPM to manage their software dependencies and security vulnerabilities appearing in a package you depend on. Make sure you keep your dependencies up-to-date and use tools to get automatic notifications when a vulnerability is found in any of your components, packages or software.

The admin access to your website should be highly secured and protected. This is the easy area for a hacker to get into your website and do the damage. Hence enforce user names and passwords which cannot be guessed easily. Also change the default database prefix from “wp6_” to something random and harder to guess. Also put a limit on the number of login attempts within a certain period of time and also on the password resets as email accounts are also hacked widely. Also make sure that you never send login details by email as sometimes an unauthorized user can gain access to the account and can read and misuse the login details given in the email.

This thing is very important in offices and the places where people work. Computers in office may be unintentionally providing an easy access route to your website servers. Hence make sure that login sessions expire after a short period of inactivity and that the passwords are changed regularly and within few days. Also make sure that all of the passwords are complex and strong and are never written down and that all devices plugged into the network are scanned for malware and viruses each time they are attached to the network of computers into your workplace. Large organizations having highly critical data and information in the computes have to watch the network security on a minute-by-minute basis to make sure nobody tries to hack it.

SQL injection attack is a very common type of hacking attack on major websites. This is when an attacker uses a web form field or an URL parameter to gain access to or manipulate your database. If you use standard Transact SQL then it is easy for hackers to insert bad code into your query that could be used to change tables, get information and even delete the data. Good thing is that you can prevent this type of attack by always using parameterized queries. Most of the web languages have this feature and you can implement it easily without any difficulty.

Take this query:

“SELECT * FROM table WHERE column = ‘” + parameter + “‘;”

In this case, suppose an attacker change the URL parameter to pass in ‘ or ‘1’=’1. This will make the query to look like this:

“SELECT * FROM table WHERE column = ” OR ‘1’=’1′;”

As ‘1’ is equal to ‘1’ hence this will allow the attacker to add an additional query to the end of the SQL statement which will also be executed.

As we said you can fix this query. For this you just have to explicitly parameterise it. For example, if you’re using MySQLi in PHP then this will become: –

$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’);

$stmt->execute(array(‘value’ => $parameter));

A perfect web application firewall or WAF can be software or hardware based. It fixes itself between your website server and the data connection and reads and checks every bit of data passing through it. Today most of the modern WAFs are cloud based and provided as a plug-and-play service by charging nominal monthly subscription fee.  That means, the cloud service is deployed in front of your server, where it serves as a gateway for all the incoming traffic. After installing web application firewall you will get complete peace of mind as it will block all the hacking attempts and it will also filter out other types of unwanted traffic like spammers and malicious bots which are also harmful. Hence installing web application firewall is a great way to avoid getting hacked from hackers and cyber criminals.

You have to be cautious with how much information you are giving in your error messages. You should provide only minimal errors to your users to make sure they don’t leak secrets present on your server for e.g. API keys or database passwords. Hence you should not provide full exception details either as these can make complex attacks like SQL injection more easy to happen. You should keep detailed error messages in your server logs which you can check but show users only the information which they need and not more than that.

You have to make sure that you are doing validation on both i.e. on the browser and on the server side. The web browser can catch simple failures like mandatory fields which are empty and when you enter text into a number only field. Remember these can be bypassed therefore you should make sure that you are checking for these validation and deeper validation on server side as failing to do so could lead to malicious code or scripting code being inserted into the database or it can also give unexpected result on your website.

There are some cross-site scripting attacks i.e. XSS attacks which inject malicious JavaScript code into your pages, which when runs in the browsers of the users, can change page content, steal information and send it to the attacker or can give some other unexpected result. Take this case when you show comments on a page without validation, then a hacker might submit comments having script tags and JavaScript, which could run in user’s web browser and steal their login credentials from the cookie and allows the hacker to take control of the account of every user who view the comment on your site. Hence you have to make sure that the users cannot inject active JavaScript content into your pages.

Right now this is one of the most important issue in modern web application, where pages are now build mainly from user content, and which so many times generate HTML that’s then also interpreted by front-end frameworks like Angular and Ember. One can use these frameworks as they provide lots of XSS protections but remember mixing server and client rendering it create new and more complicated attack options too which means not only is injecting JavaScript into the HTML effective but one can also inject content which can run code by inserting Angular directives or using Ember helpers.

Hence the important thing here is to focus on how your user-generated content could go beyond what you expect and be interpreted by the browser as something other than which you intended. This is something like protecting from SQL injection.

There is a useful tool in the XSS defender’s toolbox i.e. Content Security Policy (CSP). It is a header your server can return which tells the browser to limit how and what JavaScript is executed in the page, like to disallow running of any scripts not hosted on your domain, disallow inline JavaScript or disable eval(). This will make it hard for a hacker’s script to run even if they can get them into your page finally.

Please note that HTTPS is a protocol which is used to provide security over the internet. HTTPS guarantees that users are talking and listening to the server which they should be and that nobody else can intercept or change the content they are communicating in transit. If on your website, you have something which your users might want private then it is highly recommended to use only HTTPS to deliver it. This means for example if you are using credit card information or other sensitive information, a hacker can steal it. To protect from these kind of attacks, you should always use HTTPS for your entire website. This is not so much difficult or expensive nowadays. You can also use some tools for that like Let’s Encrypt which you can use to provide fully free and automated certificates, which you will need to enable HTTPS and there are many more tools available for so many platforms and frameworks to automatically to this for you.

It is worthwhile to mention here that now even Google is giving higher priority to HTTPS sites. Now Google will boost up your site search rankings if you use HTTPS means Google is giving you an SEO benefit. Hence you should not use insecure HTTP and it is time to upgrade it to HTTPS now.

We have just discussed some of the top tips to protect your company website from hackers, attackers and cyber criminals. As companies and security companies are doing more research to protect websites from hacking attempts so that users’ services are not interrupted and the users’ data doesn’t fall into bad hands. But the attackers and hackers are also using latest techniques to hack, attack a website and steal sensitive data. Hence the moment you plan to build your website you have to be very attentive and use the tips given above to make your data and website more secure and protected. For example, regularly updating all the software and tools and applying their security patches quickly whenever they are released. Also tighten your network security, install firewalls, protect your site from very common SQL injection attacks and always use HTTPS for your website for higher security. This way not only you can protect and safeguard your website but it will also bring confidence and a sense of trust among your website users and they will become sure that their data on your website is fully safe, secure and protected.