May 14, 2015
Technology has become more advanced, and with it, hack attacks in the online world are increasing at an alarming rate.
Hackers use known vulnerabilities in third-party software to target your website and web server, and use it for their advantage.
The object of this maybe just to deface your website, steal your confidential client data, or even worse, use your server resources to perform illegal activities.
There are some simple tips you can leverage to strengthen your website software and sleep with peace of mind.
1. XSS or Cross Site Scripting
XSS occurs when a hacker embeds scripting code into a web form or url, and run malicious code to change your web visitor’s experience and steal passwords or other data.
XSS can also be persistent in nature, where an attacker can manipulate a specific web page and show it as a login screen to users. The recent XSS comment hack on WordPress 4.2 is an example of such a permanent loophole.
2. SQL Injection
SQL injection occurs when a hacker uses a web form field or URL parameter to manipulate your database. Almost all web platforms have a database and generally open source CMS platforms maintain dynamic aspects of the website in the database.
3. DoS or Denial of Service Attack
Denial of Service (DoS) or Distributed Denial of Service (DDos) attacks are by far the most notorious kinds of attacks.
That is because, any level of hacker with a small investment can bombard a website, with millions of requests, and make it look like they are from legit users.
This eventually crashes the web server, and takes the site offline, requiring manual intervention to bring it back online.
4. Weak Passwords
We should all use complex passwords, because the weakest link is all it takes to break the chain. It is imperative to use strong passwords for admin areas, but equally important for all users to protect the security of their accounts.
One compromised account can lead to another and that could lead to the admin account being hacked. It is recommended that passwords have a minimum of 8 letters, digits and special characters to avoid quick password guesses.
5. Brute-force Attack
These attacks are trial-n-error methods to guess your username and password. Weak passwords are prone to getting hacked easily.
Methods like temporary blocking of IP’s and accounts, and multi-factor authentication, help mitigate such attacks.
6. Code Injection
Websites with file upload capability, or sites missing proper client and server side form validation, can be vulnerable.
The risk is that any file uploaded, could contain a script which could be leveraged as root-kit ie. administrator access to your website.
Lack of form validation on simple form fields could lead to malicious code being inserted into the database, and could cause undesirable results to your website.
7. Unencrypted Protocol
An unencrypted channel allows man-in-middle attacks to steal information from your users.
The use of a security certificate SSL, whenever passing personal information between the website and web server or database is recommended.
8. Debug Mode on Production Server
Some developers may accidentally enable debug mode on the live production server, which dumps extensive error logs to the browser.
A hacker can then obtain valuable information about the software used by the webserver and target an attack much better. It’s crucial to hide as much internal information about your server as possible to minimize and delay any attacks.
9. Old Software Versions
It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum.
When website security holes are found in software, hackers are quick to abuse them.
10. No Backup Plan
No matter how vigilant you are, attackers can find new loopholes to target your website. So in addition to preventative measures, you should also have a backup-restore plan.
Just in case your site is compromised, you should have a team which can quickly restore the last known backup, and avoid reputation and sales loss.
Article by Joey George. Coversine provides a simple affordable solution to all these problems. Your own security professional who will maintain your site's uptime, performance and security, all-in-one for as low as $10 per month. The subscription takes care of performance checks, and regular updates to softwares and apps as well.