Maybe you don’t think your site is of interest to hackers? Well, that’s wrong! This is because hackers do not want to attack your specific website but all those who are vulnerable to their attacks. How do they do ? Hackers are therefore looking for a security breach in order to develop it, program it and launch a script that will browse the Internet. The latter will thus infect all poorly protected Internet sites that they find in their path. Stubborn hackers can also install a malicious file or a cookie on attacked websites. If these sites do not improve their security when resetting, they will notify the hacker and the script will return to affect the site.
To avoid falling into the hacker’s net, here are our six tips to help keep your website safe.
1. Keep the software up to date
It might sound obvious, but making sure you keep all software up to date is vital to keeping your site secure. This update applies to both the server operating system and the software you use on your website, such as a CMS or a forum. When website security holes are found in software, hackers are quick to try to abuse them.
If you are using third-party software on your website such as a CMS or a forum, you should make sure to apply security patches promptly. Most providers have a mailing list or RSS feed detailing their website security concerns. WordPress, Umbraco, and many other CMSs notify you of available system updates when you log in.
2 Using HTTPS
HTTPS is a protocol used to provide security on the Internet. The HTTPS prevents Man In the Middle type attacks where a third party stands between your visitor and your site to retrieve a copy of the information your visitors send you (credit card number or identifiers). If you have confidential information from your users, you are strongly advised to use HTTPS.
HTTPS is also a good point for Google and therefore for your SEO. The search engine thus boosts the rankings of websites that use HTTPS. Plus, HTTP is about to disappear … now is the time to update it!
3 Check your passwords
Everyone knows we need to use strong passwords, but that doesn’t mean we always do. It is crucial to use strong passwords for your server and the administration area of your website. It is also important to emphasize good password practices for your users to protect the security of their accounts.
Hackers use different methods to try to gain access to your accounts and those of your users. The most basic way is to manually type letters, numbers and symbols to guess your password. The most advanced method is to use what is called a “brute force attack”. In this technique, a computer program goes through all possible combinations of letters, numbers, and symbols as quickly as possible to crack your password. The longer and more complex your password, the longer this process. Three-character passwords take less than a second to crack.
Long passwords are therefore the best. The more they understand words or phrases with no particular meaning, the better they are. Combinations of letters that are not in the dictionary, unfamiliar expressions or with poor grammar are the most difficult to crack. Also, do not use sequential characters on a keyboard, such as numbers in sequence or the widely used “qwerty”. Randomly mix symbols and numbers with letters. You can substitute a zero for the letter O or @ for the letter A, for example.
Use unique passwords for each account. When hackers carry out large-scale hacks, they gain access to lists of email addresses and their passwords. If your email account has the same password as those of other sites, your information can then be easily used by hackers.
Finally, think about two-factor authentication . Two passwords secure better than one! Consider installing Google Authenticator .
4 beware of error messages
Pay attention to the amount of information you give in your error messages. Provide only a minimum of errors to your users, to make sure that they do not divulge secrets on your server (for example, API keys or database passwords). Also, don’t provide full details about exceptions, as they can make attacks like SQL injection complex. Keep detailed errors in your server logs and show users only the information they need.
5 Avoid file downloads
Allowing users to upload files to your website can pose a great security risk to your website. The risk is that any downloaded file, no matter how innocent it may seem, could contain a script that, when executed on your server, completely opens your website.
If you allow users to upload images, you cannot rely on the file extension or mime type to verify that the file is an image because these can easily be tampered with. Even opening the file and reading the header, or using functions to check the image size are not foolproof. Most image formats allow storing a comments section which could contain PHP code which could be executed by the server.
6 Get security tools for your website
Once you think you’ve done all you can, it’s time to test your website’s security. The most effective way to do this is to use certain website security tools. There are plenty of free products to help you do this. They work on a similar basis to hacker scripts in that they test for all known viruses and attempt to compromise your site using some of the methods such as SQL Injection.