How to keep your website secure from hackers & phishing attacks

Secure website hackers phishing attacks

Your site is valuable to you and your site visitors, to have good protection against malicious attacks, you need a guide on how to protect your site from hackers.

You may think that there is nothing to hack your site, but sites are constantly hacked, regardless of website content.

Most site security breaches do not steal your information or interfere with the organization of your site.

Instead, they try to create a temporary web server to redirect your server to spam or view illegal files.

Another very common way to exploit broken machines is to use servers as part of a botnet or to mine Bitcoin.

A vulnerable website will leave you exposed to ransomware.

Thefts are routinely run with automated scripts written to scan the internet in an attempt to exploit security issues known to the software.

Here are some top tips to help keep you and your site safe online.

Overview

  • Keep your website up to date
  • SQL injection
  • XSS attacks
  • Beware of error messages
  • Front and back end testing
  • Secure passwords
  • Uploading files
  • Use HTTPS
  • HSTS (HTTP Strict Transport Security)
  • Web Security Tools
  • Install a good firewall

Keep your website up to date

This may seem obvious but keeping your website up to date is vital to the security of your site.

This applies to the server operating system and any software that can be used on your sites, such as a CMS or forum.

When software security vulnerabilities are found in software, hackers try to exploit them quickly.

If you are using a managed hosting solution, you don't have to worry about implementing operating system security updates, because the hosting company will be responsible for that.

If you use third-party software on your sites, such as a CMS or forum, you need to make security fixes quickly.

Most vendors have a mailing list or RSS feed that details any site security issues.

WordPress, Umbraco, and many other CMS will notify you of system updates when you sign in.

Many developers use tools like Composer, npm, or RubyGems to manage their software dependencies, and security vulnerabilities appearing in a package you depend on but aren't paying any attention to is one of the easiest ways to get caught out.

Ensure you keep your dependencies up to date, and use tools like Gemnasium to get automatic notifications when a vulnerability is announced in one of your components.

If you're using WordPress you can keep your website up to date by installing the WP Auto Updater plugin.

SQL injection

SQL injection attack is when an attacker uses a web form field or URL parameter to access or manage your database.

When using standard Transact SQL, it is easy to unknowingly insert unfair code into your query that can be used to modify tables, retrieve information, or delete data.

You can easily prevent this by always using parameterised queries, most web languages have this feature and it is easy to implement.

Use Pentest Tools SQL injection scanner to test for vulnerabilites within your site.

XSS attacks

An inter-site script (XSS) attack introduces malicious JavaScript into your page, which can run on your users' browsers, modify the content of the page, or steal information to send it back to the attacker.

For example, if you post a comment on an unverified page, the attacker will send a script with a script and a JavaScript tag that can run on another user's browser, steal the login cookies, and allow the attacker to check each user's account.

Users should not include active JavaScript content on your page.

It focuses on modern web applications, where pages are now built primarily from user content, often generating HTML, which is interpreted in terms of interfaces such as Angular and Ember.

These frameworks provide a lot of XSS protections, but mixing server and client performance create a new and more sophisticated attack path.

JavaScript is not only effective in HTML, you can include angle instructions or import content to execute code using Ember helpers.

The key here is to focus on how your user-generated content goes beyond what you expect and how the browser is interpreted as something different than you think.

This is similar to SQL injection protection, to create dynamic HTML, use functions that specify the changes you are looking for (for example, use element.setAttribute and element.textContent to automatically exit the browser instead of manually setting element.innerHTML) or use the template tool functions.

Instead of merging lines or defining raw HTML content, an automatic matching escape is performed.

Another powerful tool in XSS Defender is the Content Security Policy (CSP).

A CSP is a header that can be returned to your server, which means that web browsers restrict how and what JavaScript works on the page, such as blocking scripts that are not hosted on your domain, disabling installed JavaScript, or disabling ratings.

Mozilla has a great guide with some configuration examples. This makes it difficult to work even if an attacker script can be brought to your page.

Alternatively you can download Wordfence, or install in your WordPress dashboard to stop and XSS attacks.

Beware of error messages

Be careful not to give too much information to the error message.

To minimize the loss of passwords on your server (for example, API keys or database passwords), make the least number of mistakes for your users.

Also, do not include emergency details as they can perform complex attacks such as SQL injections.

Track detailed errors in your server log and show users only the information they need.

Front and back end testing

Validation should always be done on the browser and server-side.

The browser can detect simple errors, such as entering blank fields and text only in numeric fields.

However, these can be bypassed, and you should check these validations and more in-depth server authentication, as errors may include malicious code or script code entering the database or unwanted results on the server.

Secure passwords

Everyone knows that you have to use a complex password, but that doesn't mean you always use it.

It is important to use a strong password for server and site management, but it is equally important to follow a good password practice to protect the security of your user account.

Even if users don't like it, enforcing a password requirement of at least 8 characters, including uppercase letters and numbers can help protect their information in the long run.

Passwords should always be stored in encrypted form, preferably using a one-way hash algorithm such as SHA (Secure Hash Algorithm).

Using this method means that you are only comparing encrypted values to verify the identity of the users.

For extra website security it is a good idea to salt the passwords, using a new salt per password.

Salting is simply the addition of a unique, random string of characters known only to the site for each password before it is hashed.

Typically this “salt” is placed in front of each password.

The “salt” value needs to be stored by the site, which means sometimes sites use the same salt for every password.

If someone steals your password, it is not possible to decrypt it.

Using a hashed password will help limit the damage,  as decrypting them is not possible.

The best someone can do is a dictionary attack or brute force attack.

A dictionary attack or brute force attack are almost the same.

This is where millions of passwords are saved in one file.

The attacker when use this file on a brute force attack to try and guess the password.

Essentially it's guessing every combination until it finds a match.

When using a salted password, the process of hacking many passwords is even slower, because each hypothesis needs to be broken down separately for each salt and password, which makes it impossible to find the correct one.

Uploading files

Allowing users to upload files to your site can be a big risk to the security of your website, even if it means simply changing their avatar.

The risk is that any downloaded file, no matter how innocent it may seem, may contain a script that when to run on your server, opens your site to vulnerabilities.

If you have a file submission form, then you should treat all files with great suspicion.

If you allow users to upload images, you cannot rely on file extension or mime to verify that the file is an image or document, as they can be easily tampered with.

Even opening the file and reading the header or using functions to control the image size is not infallible.

Most images formats allow storing a comment section that could contain PHP code, that it can then be executed by the server.

A web shell is a malicious script written in any of the popular web application languages - PHP, JSP, or ASP.

They are installed on a web server operating system to facilitate remote administration.

When the web shell has been installed, a backdoor is naturally established, giving cybercriminals direct remote access to the compromised web server at any time.

So what can you do to prevent it?

You want to prevent users from being able to run any file they upload.

By default, web servers will not attempt to execute files with image extensions.

Image files named image.jpg.php are known to pass, causing a major security issue.

Some options are to rename the file when uploading to ensure the correct file extension or change the permissions of the file.

For example, chmod 0666 the file so that it can not be executed using your file manager.

If you need to allow file uploads for business or contactable services, have a look at these steps to further protect yourself.

  • Create a whitelist of allowed file extensions - By specifying which types of files you’ll accept, you keep suspicious file types out.
  • Use file type verification - Hackers try to sneakily get around whitelist filters by renaming documents with a different extension than the document type actually is, or adding dots or spaces to the filename.
  • Set a maximum file size - Avoid distributed denial of service (DDoS) attacks by rejecting any files over a certain size.
  • Scan files for malware - Use antivirus software to check all files before opening.
  • Automatically rename files upon upload - Hackers won’t be able to re-access their file if it has a different name when they go looking for it.
  • Keep the upload folder outside of the web root directory - This keeps hackers from being able to access your website through the file they upload.

These steps can remove most of the vulnerabilities when allowing file uploads to your website.

Most hosting providers configure the server for you, but if you are hosting your site on your server, there are a few things you will want to check.

Make sure you have firewall settings and block all non-core ports.

If possible, set up a DMZ (Demilitarized Zone) that allows ports 80 and 443 to be accessed only from the outside world.

Although this may not be possible if you do not have access to your server from an internal network, as you will need to open ports to allow files to be uploaded and to connect remotely to your server via SSH.

If you allow files to be uploaded from the Internet, use only secure transfer methods to your servers, such as SFTP (Secure File Transfer Protocol) or SSH (Secure Shell).

If possible, have your database run on a different server than your web server. This means that the database server is not directly accessible from the outside world, only your web server can access it, minimizing the risk of exposing your data.

Lastly, do not forget to restrict physical access to your server.

Use HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is a protocol used to provide security via the Internet.

HTTPS guarantee that users speak with the server waiting and that no one else can attend or change the content they see in transit.

If you have anything that your users may want to keep private, it’s recommended to use only HTTPS to deliver it.

It’s also recommended if your website stores information such as credit cards and has login pages for users.

A login form will often set a cookie for example, which is sent with every other request to your site that a logged-in user makes, and is used to authenticate those requests.

Without HTTPS it’s likely an attacker would be able to imitate a user perfectly and take on their connection session.

To prevent these kinds of attacks, use HTTPS for your entire website.

This is no longer as difficult to implement an SSL certificate as hosting provider can provide these free of charge.

Let's Encrypt provides completely free and automated certificates that you need to activate HTTPS.

Google announced that it is a ranking factor using HTTPS, giving your site an SEO (Search Engine Optimisation) advantage.

The unsafe HTTP or none SSL encrypted websites are generally ranked lower on search engines.

We also provide SSL's for free with any hosting package.

Now is the time to upgrade if your website isn’t already using SSL encryption.

HSTS (HTTP Strict Transport Security)

HSTS stands for HTTP Strict Transport Security.

It is a method used by websites to declare that they should only be accessed using a secure connection (HTTPS).

If a website declares an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates.

You can test if your website has HSTS by doing a HSTS test.

Web Security Tools

After you think you’ve done everything you can test the security of your site.

The most effective way to do this is to use a penetration testing.

Use the following websites to see if your website is secure.

  • Netsparker - free edition and test version are available . Good for SQL and XSS pumping tests Xenotix XSS Exploit Framework A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site's inputs are vulnerable in Chrome, Firefox and Edge browsers.

There are some further steps you can take to manually try to compromise your site by altering POST/GET values.

A debugging proxy can assist you here as it allows you to intercept the values of an HTTP request between your browser and the server.

A popular freeware application called Fiddler is a good starting point.

Install a good firewall

Hackers don’t manually hack into websites. A good hacker will create a bot that sniffs out vulnerable sites and automates most of the process.

All hosting providers use a firewall, which is a programme that identifies malicious applications.

Each request for information made on your site first passes through the firewall.

If the firewall detects that the request is malicious or done by an IP address known to be malicious, the request is blocked instead of being processed.

Add a firewall to your WordPress site by installing Worfence within the plugins section of your dashboard.

If you have your own server we'd recommend using Config Server Firewall to stop DDOS attacks.

Avoid changing the firewall configuration

Some firewall programmes such as CSF (Config Server Firewall) comes with default settings and the option to test to see if any changes are required.

For example, most WordPress security plugins have rules in their position that prevent anyone without administrator access from accessing the WP-CONFIG.PHP file.

The WP-Config.php file is a WordPress Core file that contains much sensitive information.

The firewall controls every request on the site to see if it contains the text "WP-config.php".

If this rule is activated, the application is rejected by the firewall.

In addition, as hackers try to lose as many websites as possible when a vulnerability is discovered, this brings to light Hacker IPS.

WordPress Firewalls such as WordFence monitor and block malicious IPS proactively, based on these attacks.

Of course, no firewall is 100% perfect, but it is better to have a firewall that prevents most malicious software, rather than not have any firewall at all.

Firewalls are not all the same, and some are much more effective than others.

Summary

Always check that your website is updated and maintained regularly.

Secure your website and use a reliable firewall software for further protection from brute force attacks.

Always use a strong password so they can't guess easily and get access.

Test your website for vulnerabilites to harden your website, making it harder for anyone to try and get in.

Looking for a secure host for your website? Check out our DirectAdmin web hosting.