If you own or manage your own website, then you are probably aware of hackers and other security threats. Depending on the type of website you run, you might think security is a serious concern, or you might think that it’s an issue that only affects sites that handle a lot of data, like Amazon.com or Apple’s iCloud. The truth is that websites of all types are compromised all the time. This is because a majority of hackers aren’t trying to steal data, but are trying to commandeer your server for nefarious purposes, such as setting up a temporary web server to transmit illegal files, or as a mail relay for spam.
Hackers use a variety of methods to exploit website security issues, including entering bogus characters into URL querystrings, entering dangerous code into URL querystrings, and manipulating text boxes in HTML forms. There is also something called a denial of service, or DDoS attack, which prevents services from working on your server, making your site inaccessible to your users. Hackers run automated scripts that scour the entire internet looking for sites with security vulnerabilities.
Below are some tips for removing those vulnerabilities and protecting your website.
Monitor and Control Input
The best way to stop a hacker from manipulating querystrings and textboxes is to aggressively control and monitor all input to your site. This can be done by setting up systems that can check all input submitted by querystring and removing or rejecting any unsafe characters before they can touch your database.
Setup Custom Error Pages
When hackers enter bogus characters and dangerous code into querystrings it generates an error page, which can often have details that give the hackers the information they need to do further damage to your site. Setting up a custom error page means that even if they are able to make it past the input screening, they won’t get any detailed information.
Keep Your Systems Up-to-Date
This includes any security patches to your server OS as well as any of the software that you run on your site. This also includes keeping any antivirus and security software that you run up-to-date as well. Additionally, if you use a separate machine to log into and administer your server, you should also make sure that the operating system, software and any antivirus or security software are up-to-date on that operating system. According to Trend Micro, whether you are using an antivirus for Mac or PC, security software should provide privacy protection, cloud-based protection, and perform system optimization tasks.
Use Complex Passwords
Avoid using the same password for multiple purposes because all it takes is for a hacker to figure out one password, and he’ll have them all. You should also avoid using obvious passwords, such as important dates, or pet names. If you can’t think of a strong password, use a password generator and also encrypt your passwords for an extra layer of security. Avoid writing your passwords down, or keeping them in a file, unless you also keep them in a secure location, such as using password protection on the password file.
Pay Attention to Your Scripts
Regularly Check Your Folder and Administration Panel
If a hacker does get in, they can often leave behind viruses, site spoofs, and other problems, by making regular checks of your folder and administration panel, you can spot and remove files that you don’t recognize, or get assistance from your web host. You should also regularly change your administrator username and password and run antivirus software.
Keep Your ISP Informed of DDoS Attacks
If you notice that your end users are having trouble accessing your site, you should inform your ISP about the attack. Your ISP might be able to assign alternative DNS addresses so that if one DNS goes down, another will still be available. Another option is to filter all incoming packets from high-risk IP addresses or with unusual timings.