How to protect a website from hackers
Anyone who owns a website should know that a security breach can happen at any time. But many people don’t know that when websites get cracked, it’s not necessarily to steal data. Often hackers want access to a server to re-route spam or to setup a temporary server for illegal files. Scott Burlington, senior developer at 76design, offers some advice about hackers’ most common points of access and how to keep a website protected.
- The server
Having a dedicated server puts a lot of responsibility in a website owner’s hands versus using an outsourced hosting provider. For those whose web hosting knowledge may be limited it’s best to host a site on a trusted hosted server such as iWeb.com or DigitalOcean.com.
However, even with outsourced hosting, the website owner remains responsible for the backups. This includes making sure the code, database and media are all regularly backed up to protect against losing content in an emergency.
To ensure the custom domain is protected, website owners should use a high-quality Domain Name System (DNS) management service. Scott recommends a service like CloudFlare which will both improve the speed of the website (via DNS level caching) and ensure security against such things as denial-of-service attacks.
- Website database
The website database is where all site information is stored and may be accessed anytime, anywhere and by any device. Without adequate security, hackers will crack into the database either to steal or add content to the site. It’s important to lock it down with good user names and restricted access points such as certain IP addresses restrictions.
If possible, access to the database should be exclusive to the web server to minimize the risk of data being exposed.
- Content management system (CMS)
Those who work in communications have likely used a Content Management Systems (CMS) such as WordPress or Drupal. While the CMS helps manage the content that defines the website, Scott says it is a major point of vulnerability.
To ensure the CMS isn’t being tampered with:
- regularly update core software;
- regularly update plugins;
- avoid generic user names like “admin” when possible; and
- always choose secure login passwords.
- Website input forms
Anywhere information is collected from website visitors introduces potential risk. Whether it’s contact forms, polls, user feedback or user registration, here’s a few things that can help keep the site protected:
- restrict access to forms to members only;
- use a captcha;
- use techniques to prevent form tampering attacks (CSRF, XSS, Code Injection) in WordPress this can done with an appropriate plugin;
- File upload / transfer
Allowing users to upload files to a website can be a big website security risk, even if it’s as simple as uploading a new avatar. All files uploaded, however innocent they may look, could contain a virus that could tarnishing a company’s reputation and question its legitimacy. When the website has a file upload form consider follow these steps:
- disable FTP (plain);
- use SFTP (over SSH);
- ensure you have a firewall setup, and are blocking all non essential ports;
- change the file permission so it can’t be executed;
- or, choose a cloud storage service for file sharing with users.
Ultimately, the recommended solution is to prevent direct access to uploaded files all together. This way, any files uploaded to your website are stored in a folder outside of the Webroot or in the database.
Contact us for expert advice and technical excellence when it comes to website development.