Rarely a day goes by that I don’t come across some website which has been compromised by hackers. This is a concern of course for everyone, yet especially the business that needs to ensure that their website is secure, and free of intrusion. As a website designer, I take security very seriously. For this reason I’ve included some of the common exploit concerns that we all should be aware of, and advice on what you can do to fix them.
Keep Your Versions Updated
If you use a CMS website, or have PHP scripts used in your static site, you need to be sure to download/install the newest versions and updates of WordPress, Joomla, etc, as well as Windows and your antivirus platform. This is important since hackers will look for vulnerabilities as a means of personal amusement. With your virus scan program look to see if they have a vulnerability scan option, most do. And just as an FYI, many common programs are known to have vulnerabilities which include Quicktime, MS Word, Powerpoint, Acrobat, etc. That being said, always back up your website, blogs, and database. Most hosting platforms have a back up option in the control panel, and in many cases this can be done automatically as a cronjob.
Beef Up Your Passwords
Many people use very simple passwords for their website login, email, etc. Never use “password” or “123456”, or just characters, or numbers. Always use a combination of characters, numbers, and where possible use a password generator for such. It is also recommended that you don’t use the same username/password for every account (use different ones for your banking and email, your cPanel, and your FTP accounts); this way, if someone does acquire access to one account, they can’t run rampant across all of your accounts.
Lock Down File Permissions
When a program is installed on your server some require a folder permission of “777” to install which provides full read/write/execute privileges for all. Many people forget to set permissions back to either “755” for folders or “644” for files. Double check yours to make sure by right-clicking on the folder, left click “properties”.
Open Redirects Links
It is important that the sites you’ve linked to have a good reputation, and are not spammy. Open redirects are a major cause for attacks that are perpetrated through browsers. We all know what happens when we click on a bad link; now imagine what the result will be when you put a bad link on your site. It’s always best to trust completely any site you link to. There are ways to block or remove an open-redirect link through .htaccess or Google Websmaster tools. You can learn more about open-redirects at https://googlewebmastercentral.blogspot.com/2009/01/open-redirect-urls-is-your-site-being.html
Secure FTP Transfers
Where possible, it is a good idea to use secure FTP for file transfers. Most hosting companies and FTP programs allow for secure file transfer of some type, but the settings will be unique for each so you will likely need to do a search for the specifics. That being said, the typical options are SFTP, TLS, and SSL. For shared hosting, you will find that common option will be SFTP. You can learn a bit more about this at:
https://forums.glowhost.com/knowledge-base/how-use-ftps-fireftp-cpanel-921.html
https://support.hostgator.com/articles/general-help/ftp/secure-ftp-sftp-and-ftps
Use SSL To Send Emails
If you send sensitive info via email it is important to ensure that it is secure. Basically you want to ensure that it is sent as https:// not https://. You can learn about securing GMAIL at
http://www.quickonlinetips.com/archives/2008/07/secure-https-gmail/
Make Sure Your Web Host Runs PHP scripts securely
Under normal PHP, your script is open access. For this reason it is important to ensure that access is limited to the user or to those explicitly granted permission. Not all hosts use security for PHP, so it is important to make sure your host does. HostGator (the company I resell from) uses PHPsuExec and suPHP for all of their shared and dedicated servers. You can learn more, and how to test your hosting platform for this at https://support.hostgator.com/articles/phpsuexec-or-suphp
Beyond Shared Hosting
For larger companies, it may be best to look beyond a shared hosting environment. The reality is that shared hosting is less expensive, but it also less secure. VPS hosting is the better option due to its separation from other sites. You can create custom firewalls and install other security measures that most hosts won’t allow on shared accounts.
The above listing is the primary steps I would take, and easiest to implement for the sake of security. Following are some additional concerns that may or may not be significant to your web presence, but just the same you should be aware of.
Login Pages:
Login pages for secure member areas need to be encrypted: Encryption of both the login and the session after login is needed. Even if your login form POSTs to an encrypted resource, in many cases this can be circumvented by a malicious security cracker who crafts his own login form to access the same resource and give him access to sensitive data.
Data Validation:
Data validation should be done server-side. Many Web forms include some JavaScript data validation, but this validation won’t provide security so additional measure will be needed for security. Many cases of JavaScript form validation can be circumvented simply by deactivating JavaScript in the browser or using a Web browser that doesn’t support JavaScript at all. In cases where the password validation is done client-side this either exposes the passwords to the end user via the ability to view page source or, allows the end user to alter the form so that it always reports successful validation.
Website Encryption:
For any site with sensitive data (such as ecommerce) strong encryption is needed. While popular, SSL is not the top-of-the-line technology for Web site encryption any longer. TLS, which stands for Transport Layer Security, is the securest option currently.
Connect from Secure Network:
Many people connect to their website on less-than-secure wireless networks, such as open networks at coffee houses. This is especially important whenever you log in to the server or Web site for administrative purposes or otherwise access secure resources. If you must access the Web site or Web server when connected to an unsecured network, use a secure proxy so that your connection to the secure resource comes from a proxy on a secured network. You can set up a quick and easy secure proxy using either an OpenSSH secure proxy or a PuTTY secure proxy.
Login Credentials:
Don’t share login credentials where ever possible. The more login credentials are shared, the more chances that they will be acquired by a malicious person.
Key-based Authentication:
Use key-based authentication over password authentication. Password authentication is more easily cracked than key-based authentication. You can learn more here https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-ssh-configuration-keypairs.html
Maintain a Secure Workstation:
As I noted above, it is important to ensure that your computer (workstation) is secure by downloading the latest windows updates, checking for security vulnerabilities using a good virus scan software, etc. The concern is that a compromised workstation will often have trojans that allow for Keyloggers (which tracks every keystroke you make), and other tricks of the malicious security cracker which allow someone unauthorized access to sensitive data regardless of all the secured networks, encrypted communications, and other networking protections you employ. Integrity auditing software is an option that many may wish to consider to ensure, with any certainty, that your workstation has not been compromised.
Use Redundancy:
Backups and server fails will happen from time to time. While failover systems can reduce outages due to server crashes and server shutdowns to brief interruptions in service, that isn’t the only value to redundancy. The duplicate servers used in failover plans (which most good hosting companies provide) also maintain an up-to-date duplication of server configuration. Backups ensure that data isn’t lost, and it is my recommendation that you backup all of your important content in at least 3 places. Of course, failover and backup solutions must be secured as well, and they should be tested regularly to ensure this.