How safe is your website? Prevent it from being hacked!
Can your website be hacked?
There are approx. 1 billion websites on the Internet and 30,000 sites are hacked every day. So, there are 0.10% chances that you site will get hacked this year. This number looks really low but it can cause a great damage to your site and maybe your online business.
According to OWASP, top 3 methods used for hacking are-
Injecting a piece of malicious code into a web application through fields which do not use data validation or by bypassing data validation is termed as Injection. Example- login fields, search field and even editing URL in browser’s address bar.
 Broken Authentication and Session Management
Accessing admin pages/panel (which normal user is not meant to) by bypassing authentication or directly using pages having no authentication. Example- accessing www.example.com/editusers.php having no authentication.
 Cross-Site Scripting (XSS)
Making a hack-proof website?
It’s almost impossible to make a “Hack-proof” website. Because if there are zero known loopholes in a website today then there may be 10 tomorrow . However, if we know that a hacker will defiantly attack our site, so why not make this task challenging for them?
Which language you should use for making websites?
The safest website (in terms of scripting language) would be a website made using HTML/CSS only, because its ‘IMPOSSIBLE’ to hack HTML. (However, one can hack your server or your webhost to damage your website.)
Using server side scripting language like PHP or ASP and using database management system like MySQL will increase chances of getting your site hacked. Creating HTML only site will lock some really good features like contact form, newsletter, search support etc.
To use those services, one must use external APIs like Google custom search and so on. But most external APIs too require a little piece of PHP or ASP code on your website which may make your site vulnerable to attacks.
On the other hand your web server or web host can still be hacked no matter how secure your website is.
Server side languages-
While displaying data from database make sure the output is displayed as text only. Do not execute PHP or HTML code which attacker may have saved in your database.
HTTPS encryption is a plus point in increasing your website security. However, it can cost you some extra money.
If you use admin panels to manage your data then make sure you don’t use common username/passwords like admin/admin root/password. Do not use easily crackable username and passwords which may be present in wordlists.
It’s better to use some random name with number as username and randomized combination of uppercase letters, lowercase letters, some numerical digits and at least two special characters as password.
To make your site safe from bruteforce, limit login attempts.
Content Management Systems (CMS) has made managing website a lot more easier then before. But because all CMS are based on server side scripting languages and mostly process data that user provide, to perform its operations, its a heavy chance that a malicious input form user can take down your entire site.
Let’s take WordPress, its is the most famous CMS and millions of sites are using WordPress. It’s open source and a large number of developer are contributing to make it more secure. Every new vulnerability gets quick fixed in very less time. And at this time, there are not any known vulnerability present in this CMS.
Have a look at List of WordPress Vulnerabilities.
WordPress and many other CMS have table prefix option while installation. Use some random combination as table prefix so hacker can’t easily guess your database tables.
WordPress themes and plugins-
You can customize and enhance its functionality by using themes and plugins developed by community. But wait, these themes or plugins may contain some backdoor scripts. Even tho, WordPress developers may scan them very carefully, there would be some perfectly hidden code. be careful while using themes and plugins for your CMS.
And if you tried to download paid themes form untrusted sources then there are 90% chance that the script you downloaded has some piece of backdoor.
Also, some CMS require installation files to be deleted manually. So, delete them before some random hacker guy use that.
Hack before you get hacked-
If you are not an expert in security and stuff, then there are plenty of tools which can preform a security analysis on your website like nessus. And if you cant manage it at all then buy managed web hosting.
Distributed denial of service is basically and attack which sends tons of traffic to your website until either your hosting’s bandwidth limit exceeds or your servers die of load. I would suggest cloudfare to protect your site form DDoS.
Little bit of more protection-
Stay away form spam folder and do not download any attachments if you don’t personally know the sender.
Update your CMS (if you are using one) regularly. So that you can be more secure.
Do not use common names for your admin pages like- admin-login.php use some other names like- our-services.php or anything to confuse admin login page finders.
Do not index your admin pages.
And at last, read tech and security related blogs to keep yourself updated.
That’s all, If this helped then make sure to share this. See you in the next article.