Making your website live is like unlocking the door to your premises
with your office and safe open: Most of the people who visit your
physical building will never even know that all of your data is there to
discover just by walking in. Occasionally you will find someone with
malicious intent who will walk in and steal your data. That is why you
have locks on doors and safes.
Your website is just the same, except that you will never see anyone come in unless you have protection systems in place. Electronic thieves are invisible and fast., searching for your website for details of customers’ accounts, especially for their credit card information. You have a legal obligation to protect this data from theft and to report security breaches that occur.
Theft is not the only thing on the mind of a hacker: Sheer destruction is a major motivator. Hackers may want to destroy all your records, put a sick message on your customers’ screens or just destroy your reputation.
You can never undo the damage done by a hacker, you can take steps to prevent it. Even the most basic protection will discourage many hackers enough to make them go looking for easier pickings elsewhere. Thieves are likelier to steal from people who leave their doors unlocked.
You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature.
Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software. Here are our top 10 tips to help keep you and your site safe online.
Your website is just the same, except that you will never see anyone come in unless you have protection systems in place. Electronic thieves are invisible and fast., searching for your website for details of customers’ accounts, especially for their credit card information. You have a legal obligation to protect this data from theft and to report security breaches that occur.
Theft is not the only thing on the mind of a hacker: Sheer destruction is a major motivator. Hackers may want to destroy all your records, put a sick message on your customers’ screens or just destroy your reputation.
You can never undo the damage done by a hacker, you can take steps to prevent it. Even the most basic protection will discourage many hackers enough to make them go looking for easier pickings elsewhere. Thieves are likelier to steal from people who leave their doors unlocked.
You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature.
Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software. Here are our top 10 tips to help keep you and your site safe online.
1. Stay updated: You
need to stay up to date with hacking threats. If you have at least a
basic knowledge of what is possible then you can protect your website
against it. Follow updates at a tech site such as The Hacker News. Use the information you gain to put fresh precautions in place when necessary.
2. Toughen up access control: The
admin level of your website is an easy way into everything you do not
want a hacker to see. Enforce user names and passwords that can not be
guessed. Change the default database prefix from “wp6” to something
random and harder to guess. Limit the number of login attempts within a
certain time, even with password resets, because email accounts can be
hacked as well. Never send login details by email, in case an
unauthorized user has gained access to the account.
3. Update everything: Updates
cost software companies money. They only do it when necessary, yet many
people who use the software do not install updates immediately. If the
reason behind the update is a security vulnerability, delaying an update
exposes you to attack in the interim period. Hackers can scan thousands
of websites an hour looking for vulnerabilities that will allow them to
break in. They network like crazy, so if one hacker knows how to get
into a program then hundreds of hackers will know as well.
4. Tighten network security: Computer users in your office may be inadvertently providing an easy access route to your website servers. Ensure that:
- Logins expire after a short period of inactivity.
- Passwords are changed frequently.
- Passwords are strong and NEVER written down.
- All devices plugged into the network are scanned for malware each time they are attached.
Ever since I founded my hosting company, we've had to watch our network security on a minute-by-minute basis not to be hacked.
5. Install a web application firewall: A
web application firewall (WAF) can be software or hardware based. It
sets between your website server and the data connection and reads every
bit of data passing through it.
Most of the modern WAFs
are cloud based and provided as a plug-and-play service, for a modest
monthly subscription fee. Basically, the cloud service is deployed in
front of your server, where it serves as a gateway for all incoming
traffic. Once installed, web application firewall provides complete
peace of mind, by blocking all hacking attempts and also filtering out
other types of unwanted traffic, like spammers and malicious bots. This
is a great way to avoid getting hacked like Craigslist.
6. Install security applications: While
not as effective as a full blown WAF, there are some free and paid for
security applications that you can install that will make life a bit
more difficult for hackers. In fact, even some free plugins such as that
from Acunetix WP Security
can provide an additional level of protection by hiding the identity of
your website’s CMS. By doing so this tool makes you more resilient
against automated hacking tools that scout the web, looking for
WordPress sites with specific build and version, which has one or more
known vulnerabilities.
7. Hide admin pages: You do not want your
admin pages to be indexed by search engines, so you should use the
robots text file to discourage search engines from listing them. If they
are not indexed then they are harder for hackers to find. This tutorial
from SEObook.com is all the help you will need.
8. Limit file uploads: File
uploads are a major concern. No matter how thoroughly the system checks
them out, bugs can still get through and allow a hacker unlimited
access to your site’s data. The best solution is to prevent direct
access to any uploaded files. Store them outside the root directory and
use a script to access them when necessary. Your web host will probably
help you to set this up.
9. Use SSL: Use an encrypted SSL
protocol to transfer users’ personal information between the website and
your database. This will prevent the information being read in transit
and accesses without the proper authority.
10. Remove form auto-fill: When
you leave auto-fill enabled for forms on your website, you leave it
vulnerable to attack from any user’s computer or phone that has been
stolen. You should never expose your website to attacks that utilize the
laziness of a legitimate user.
11. Back-up frequently: Just
in case the worst happens anyway, keep everything backed-up. Back up
on-site, back up off-site, back up everything multiple times a day.
Every time a user saves a file it should automatically back up in
multiple locations. Backing up once a day means that you lose that day’s
data when your hard drive fails. Remember every hard drive will fail.
12. You can't hide your code: You
can buy software that says it will hide the code on your webpages. It
doesn’t work. Browsers need access to your code in order to render your
website pages, so there are simple ways to get around web-page
“encryption.”
Disabling “right-click” as a way to view your
website code is annoying to users because it also disables every other
“right-click” function, and there are simple workarounds that every
hacker knows anyway. If you have been told that it is possible to get in-depth explanations of why you can never hide your code.
Your
Experience: Has your website been hacked? How did the criminals get in?
Please use the comments facility below to share your story including
the changes you made after the attack
No comments:
Post a Comment