Back to Top


Phone: 952-255-8599


Email: tj@wpmarket.net

The ultimate website security guide

securityDo you remember those ugly HTML-based sites which were impenetrable, because they didn't include any forms, databases, and so on?  I don't, because I was only a kid back then :)


However, as web developers have invented more and more useful technologies, which have made the entire world wide web a much better place, hackers have managed to find new ways of attacking their targets. I'd like to tell you that you'll be able to prevent all the attacks on your own, but if you aren't into IT security, you will need to work with a web security consultant. Here's how you can make sure that your site can withstand most attacks, though.


1. Validate all inputs


Don't ever assume that your site is only going to receive well-behaved visitors. If the user is supposed to input a number in a specific form field, make sure that any other strings are rejected. And if that field is supposed to be used for a phone number, ensure that its length is exactly 10 characters.


If your site allows people to upload attachments, be sure to limit their type to .doc, .psd or any other file format that you are supposed to receive from them. Also, keep the size of the files that can be uploaded to a minimum; many cyber criminals craft, and then upload huge files that lead to database errors, buffer overruns, and so on.


Run these checks client-side, in the user's browser, as well as server-side. A hacker will often have plenty of tools which allow him to intercept, and then alter the data that's sent from the client (browser) to the server.


2. Prevent users from running SQL queries


Structured Query Language (SQL) is a programming language whose goal is to manage information in a database. Whenever you log into your favorite social media site, the server runs a SQL query which will interrogate the user database, trying to find a valid user/name combination. Then, if that user/pass pair is valid, the user is allowed to log in.


However, a hacker can attempt to insert its own SQL instruction into the password field, using an instruction that looks like this:


AND PASSWORD="123" OR "1"="1"


If you know a bit of coding, you can see that this query will be executed when the password is set to "123" (this is probably not the case) OR when 1 = 1, which happens to be true all the time. So, even though the hacker doesn't know the user's password, he manages to inject his own SQL code into the string, triggering an "SQL injection".


As you can imagine, most cyber villains will try to log in using an admin account, because that will give them superpowers: the ability to create new users, change passwords, ban existing users, etc. To stay on the safe side, don't ever build SQL queries by combining two or more strings. And if your web app runs using PHP, make sure to utilize prepared statements, compiled SQL templates which can be customized through variable parameters.


3. Don't allow cross-site request forgeries (CSRF)


Sometimes innocent users may harm a site without even knowing about it, because their browsers will send third-party commands which are initiated by hackers. Basically, the user is logged into a site which trusts him, but the hacker can send HTTP requests which don't originate from the current site.


By making use of this method, cyber criminals can trigger illicit money transfers, for example. And to fix the issue for good, the code behind the website needs to ensure that each HTTP request matches the website location.


4. Stop cross-site scripting attacks (XSS)


This type of attack allows hackers to inject client-side scripts into web pages. Often, villains will trigger XSS attacks by installing a small piece of JavaScript code on somebody else's website. To keep your site safe, be sure to sanitize user input. If you know how to code, there are lots of well-built libraries that can do that for you. For extra protection, don't allow users to upload content on your site, unless you really need to do that.


As you can see, it's not easy to keep your site safe these days. Fortunately, you can find qualified people like me, who can help make your site impenetrable :)

LET AN EXPERT HANDLE YOUR WEBSITE'S SECURITY PROBLEMS

I FIX ALL ISSUES AND PREVENT THEM FROM APPEARING AGAIN

CONTACT ME