6 steps to secure your website
Maybe you think your site doesn’t interest hackers? Well, that’s not true! Indeed, hackers do not want to attack your particular website but all those who are vulnerable to their attacks. How do they do it? Hackers are looking for a security vulnerability to develop it, program it and launch a script that will go through the Internet.
The latter will thus infect all the poorly protected websites they find in their path. Tenacious, hackers can also install a malicious file or a cookie on attacked websites. If these sites have not improved their security when they are reset, they will notify the hacker and the script will return to affect the site. To avoid falling into the nets of hackers, here are six tips to help you maintain your website safely.
1 Keep the software up to date.
This may seem obvious, but keeping all software up to date is vital to keep your site secure. This update applies to both the server operating system and the software you use on your websites, such as a CMS or forum. When website security breaches are found in software, hackers are quick to try to abuse them.
If you use third-party software on your websites such as a CMS or forum, you must ensure that you quickly apply security patches. Most providers have a mailing list or RSS feed detailing security issues on their website. WordPress, Umbraco, and many other CMS inform you of system updates available when you log in.
2 Using HTTPS
HTTPS is a protocol used to ensure Internet security. HTTPS prevents Man In the Middle attacks where a third party entity is placed between your visitor and your site to retrieve a copy of the information sent to you by your visitors (credit card number or credentials). If you have confidential information from your users, it is strongly recommended to use HTTPS.
HTTPS is also a good point for Google and therefore for your SEO. The search engine thus boosts the rankings of websites that use HTTPS. Moreover, HTTP is about to disappear… now is the time to update it!
3 Check your passwords
Everyone knows that complex passwords must be used, but that does not mean that we always do it. It is crucial to use strong passwords for your server and website administration area. It is also important to emphasize good password practices for your users to protect the security of their accounts.
Hackers use different methods to try to access your accounts and those of your users. The most basic way is to manually type letters, numbers, and symbols to guess your password. The most advanced method is to use what is called a “brute force attack”. In this technique, a computer program goes through all possible combinations of letters, numbers, and symbols as quickly as possible to break your password. The longer and more complex your password, the longer this process takes. Three-character passwords take less than a second to crack.
Long passwords are therefore the best. The more words or expressions that have no particular meaning, the better they are. Letter combinations that are not in the dictionary, unknown expressions or expressions with poor grammar are the most difficult to crack. Do not use sequential characters on a keyboard, such as numbers in order or the widely used “azerty”. Randomly mix symbols and numbers with letters. You can substitute a zero for the letter O or @ for the letter A, for example.
Use unique passwords for each account. When hackers engage in large-scale hacking, they have access to lists of email addresses and passwords. If your email account has the same password as those of other sites, your information can then be easily used by hackers.
Finally, think about double authentication. Two passwords are better than one! Remember to install Google Authenticator.
4 Beware of error messages
Pay attention to the amount of information you give in your error messages. Provide only a minimum of errors to your users, to ensure that they do not disclose secrets on your server (for example, API keys or database passwords). Also, do not provide complete details on exceptions, as they can make attacks complex, such as SQL injection. Keep detailed errors in your server logs and show users only the information they need.
5 Avoid file downloads
Allowing users to upload files to your website can pose a significant security risk to your website. The risk is that any downloaded file, as innocent as it may seem, may contain a script that, once executed on your server, completely opens your website.
If you allow users to upload images, you cannot rely on the file extension or mime type to verify that the file is an image because they can easily be falsified. Even opening the file and reading the header, or using functions to check the size of the image, are not infallible. Most image formats allow you to store a comment section that could contain PHP code that could be executed by the server.
6 Getting security tools for your website
Once you think you’ve done everything you can, it’s time to test the security of your website. The most effective way to do this is to use some website security tools. There are many free products to help you do this. They work on a similar basis to hacker scripts in that they test all known viruses and try to compromise your site by using some of the methods such as SQL Injection.
Some free tools worth consulting: Netsparker, OpenVAS or SecurityHeaders.io