You may think that your website is not a target for hackers, but all websites are always at risk of hacking. Website security is one of the most neglected aspects of data security. All of us have repeatedly heard the word “hackers” and we are aware of the harm they can inflict on financial institutions, retailers, and other enterprises.
The object of a hackers’ attack can be:
- a small online store;
- a mid-range corporate website
- a landing page or a personal blog;
- any site with a low-security level
Why do hackers hack sites?
The motivation of hackers is apparent:
- Money. Your site can be attacked by order, and it’s not very expensive. Rates start at $ 30, which means someone who is your direct competitor or simply jealous of your success can hire a hacker to damage your site.
- Competition in the search. If you are actively promoting a site in search engines or placing contextual advertising, the so-called “black SEOs,” to “clear” your place in the TOP, you may experience attempts to attack your site.
- Training and skills development. Before making an attack on the Pentagon server site, a novice hacker needs to train. Why not do it on some simple website?
Most website hacks do not plan to steal your data or break down the website. Usually, hackers aim to use your server to send spam or to use a webserver to temporarily store files of illegal content.
Types of website attacks
Attacks and their results can be different:
The principle is quite simple: I provoke the launch of a large number of requests on one page of the site until the site server runs out of resources to process them.
The result is, in simple terms, a “white screen” instead of your site.
Hacking a site
This is a situation where attackers gain access to your site in one way or another. The consequences may be different:
Removing a website in whole or in part
No explanation is needed here.
Placing malicious code (virus) on the resource
This is a sophisticated form of inflicting harm to your site and the business as a whole since your website will gain a bad reputation for spreading viruses, which can be followed by very unpleasant sanctions from search engines and other reputable Internet organizations.
Get access to confidential information: the customers’ database of your online store, their order statistics, and so on.
Making changes to the settings
Alternatively, closing the site from indexing by search engines, in such case, the website may completely disappear from the issuance of Google, Yandex, and other search engines.
When attacking with SQL injection, the attacker uses a web form field or URL parameter to access or manipulate your database.
When you use standard Transact SQL, it’s possible to seamlessly insert fraudulent code into your query so that it can be used to modify tables, retrieve information, or delete data.
A usage of parameterized queries can prevent this type of hack easily.
What to do?
Make backups of your website.
However, no website can be 100% secure, and you should always be prepared for the worst. For this reason, it is important to backup your site regularly; it helps to save time if something goes wrong.
If you set a regular backup for the site your efforts can be saved since your website can be completely restored in just a couple of minutes.
Hide WordPress Version
Hackers know that older versions are the most vulnerable, and often the problems that exist in older versions are well documented, making them the primary targets of attacks.
To find out which version of WordPress the site is using, just look at the site’s code.
Restrict access to the admin panel by IP-address
This excludes access to the management system of your site, even if you have a username and password. Restricting by IP-address allows you to connect to the admin panel only from a particular IP address. Also, get a custom admin panel URL.
This may seem obvious, but updating all the software is vital to maintaining the security of your site. And this applies to both the server’s operating system and any software that you run on your website, for example, CMS or a forum. When a security gap is discovered, hackers quickly begin to attempt attacks.
When using third-party software on the site, for example, CMS or a forum, you need to monitor security patches and regularly apply them. Most manufacturers have newsletters or RSS feeds where they report all security issues. WordPress, Umbraco, and many other CMS notify you of updates every time you log in.
Check error messages
Error messages can give a huge amount of information, so you need to review all your messages. Usually, a form for logging has been used on a website, so you should review the message that you will display on the screen for the user in case of an unsuccessful login attempt.
You should use stock phrases such as “Wrong username or password” and not indicate exactly what the user was mistaken about.
If a hacker tries to pick up a username, and an error message indicates that this field was correct, then he can concentrate on the next area, which simplifies his task.
Use complex passwords
It seems that everyone knows that you need to use complex passwords, but for some reason, people forget that it applies to any situation: not only for emails but for admin panel, etc. Still, it is equally important to require your users to use complex passwords for their accounts.
SHA algorithm helps to keep passwords in encrypted form. When using this safe method to authorize users, you simply compare the encrypted values.
Did I something forget?
If you allow file uploads on your website, it may be really risky; even it is a small picture or changing an avatar. Any uploaded file may contain a script that can be executed on your server. This script usually is a gate to your website.
Opening a file and reading its title or using image size checking functions is not enough. If possible, select a separate server for the database other than the webserver.
In this case, the database server will not be directly accessible from the outside world; only your web server will be able to access it. This means minimizing the risk of data theft.
Finally, remember restricting physical access to your server.
Install SSL certificate
SSL is a protocol used to ensure security when transferring data between a client and a web server or database over the Internet.
Attackers can listen to a communication channel and, if it’s not safe, intercept the transmitted information and use it to gain access to user accounts and personal information. SSL certification enables you to prevent third parties from intercepting sensitive data.
Use website verification tools
When you think that you have already done everything possible, it is time to test the security system of your site. The most effective way to do this is to use site verification tools, also known as penetration tests or pen tests.
There are many commercial as well as free products available for this. They work according to a scheme similar to hacker scripts, using all known exploits and trying to hack your site using one of the methods described above, for example, SQL injection.
Some free tools to check your website security
Netsparker (free trial available). Suitable for testing for SQL injection and XSS
OpenVAS. Positions itself as the most advanced open source security scanner. Suitable for testing for known vulnerabilities.
Automated test results can be intimidating, as they show all kinds of potential threats. An important point is to work primarily on the most critical areas.
I hope our tips will help you keep your site and the information it contains safe.
Fortunately, many CMSs have enough built-in security tools, but it’s still good to know about the most popular security threats to ensure that you know how to prevent them.