As a website owner, what could be more terrifying than the thought of seeing all of your work altered or entirely wiped out by a nefarious hacker? Hacking is regularly performed by automated scripts written to scour the internet in an attempt to exploit known website security issues in software. So, even if you don’t think your website has information worth hacking, you should make sure it is secure. Here are some tips to help keep you and your website secure.
It may seem obvious, but many people forget or hold off on updating. But keeping all of your software up to date is vital if you want your site to stay secure. This applies to your server operating system and all software you may be running on your website. If there are any security holes in your software, you can count on hackers to find and abuse them.
If you don’t already have HTTPS, it is highly advisable that you start using it now – especially if your website shows or collects private information such as logins or banking details. On a website using HTTPS, users will know straight away that they are protected.
Implementing HTTPS into your website is no longer as tricky or expensive as it once was. Many hosting platforms offer free SSL certificates with new domains otherwise, you can get one at Let’s Encrypt. Another incentive, Google have stated that they will boost your rankings if you use HTTPS. Insecure HTTP is on its way out, and now’s the time to upgrade.
We all know that its good practice to use complex passwords, but not everyone does. It is crucial to use strong passwords for your server and admin logins, but it is also important to insist your users use the same password practices for their accounts.
Any stored passwords should be encrypted, preferably using a one-way hashing algorithm such as SHA. This means when you are authenticating users you are only ever comparing encrypted values. For extra website security you could salt the passwords, using a new salt per password. Using hashed passwords could limit the damage, as decrypting them is not possible – the best someone could do is guess every combination until finding a match. Salted passwords are even more difficult when attempting to crack a large number of passwords as every guess has to be hashed separately for every salt.
An SQL injection happens when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. Standard Transact SQL can be used to easy to insert rogue code unknowingly, which could be exploited to get information or change and delete data. This is easily prevented by using parameterised queries which is easy to implement. Here’s an example.
Consider this query:
“SELECT * FROM table WHERE column = ‘” + parameter + “‘;”
An attacker could change the URL parameter to pass in ‘ or ‘1’=’1’ as below:
“SELECT * FROM table WHERE column = ” OR ‘1’=’1′;”
By making ‘1’ equal to ‘1’, the attacker is now able to add an additional query to the end of the SQL statement.
You could fix this query by explicitly parameterising it. For example, if you’re using MySQLi in PHP this should become:
$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’);
$stmt->execute(array(‘value’ => $parameter));
You should be careful of how much information is put into your websites error messages. Don’t provide full exception details, only minimal errors to your users. This will ensure they don’t leak secrets present on your server, such as API keys or database passwords. This will in turn make complex attacks like SQL injection far more difficult. Be sure to show users only the information they need and keep the more detailed errors in your server logs.
If you would like some advice regarding your website security, please don’t hesitate to contact us.