In 2013, the annual Verizon report “counted 621 confirmed data breaches… and more than 47,000 reported ‘security incidents.’” From distributed denial of service (DDOS) attacks to breaching company networks, these hacking events impacted multiple industries. No one is exempt.
While some hackers focus on destroying your site, the majority just want to use it. They want to use your server “as an email relay for spam, to setup a temporary web server, normally to serve files of an illegal nature.” That might explain why you clients find your email messages in their junk mail. Your domain has been flagged for sending spam! It’s a possible sign your website has been hacked.
How do you protect your website? These nine steps close the key entry points used by most hackers.
1. Never use “Admin” as your username.
WordPress and Joomla use “Admin” as their default username. It’s the first username a hacker will try. Don’t use your name either. That’s the second username strategy a hacker will test on sole proprietor websites. Replace Admin with something hackers must work at before they break in.
2. Always use complex passwords.
Password. abcd1234. Your name. These are far too easy to hack, especially when software automates the process. If your password is 6 characters long and in lowercase, a computer can break in within 10 minutes. Switch some of those characters to uppercase and add 2 numbers, and your 8 character password takes 3 years to break. If you have a 9 character password which mixes caps, numbers and symbols, even the fastest computer won’t crack that password in your lifetime.
3. Keep software, plug-ins and scripts up-to-date.
There’s a reason many hosting platforms now automate WordPress updates. Those updates close loopholes in the scripts driving WordPress functionality. Hackers use scripts of their own to seek out vulnerable sites. Staying current is essential to reducing your vulnerability!
4. Keep error messages vague.
Have you noticed that some websites don’t differentiate whether the username or the password was incorrect? This is a hack prevention practice. If hackers don’t know which one is wrong, they must continue to tackle both. It might be irritating; however, the extra step your website visitors must take to validate whether they are entering the right username protects the website and their information. Why make it easy for hackers by eliminating one field?
5. Encode or strip out HTML in forms.
Cross site scripting or XSS uses scripting code when visitors to your site use your forms. Stop them by running a data check and encoding the form.
6. Use Parameterized queries in all website forms.
SQL injection can take over your forms, stealing information as your users log in. SQL injection hackers can even use your website’s search to break into your database. As with everything else, your savvy hacker isn’t doing this manually. He or she is using automated injection tools.
7. Validate forms on both the browser and server site.
Just because the browser catches things like failing to fill in mandatory fields or typing letters in numbers-only fields doesn’t mean you shouldn’t also validate your forms from the server. If you don’t, hackers may inject malicious code or scripting code into your database.
8. Don’t allow users to execute file uploads.
Have you ever opened a Word file downloaded from the internet? There really is a reason to reconsider clicking “Allow editing.” Images can be Trojan horses as well, with the caption containing PHP code just waiting to execute on your server.
If you do want to allow users to upload files, you’ll want to block their direct access to those files. It requires some code to do this, so it’s not a DIY for most small business owners.
Ask to have uploaded files sent to a private folder outside of the webroot folder. Install a script to fetch the files for online viewing, and use the image scr attribute to activate the image delivery script.
9. Test your website with security tools.
There are free tools available that run penetration tests (pen testing) to evaluate the vulnerability of your website. Netsparker tests for SQL injection and XSS. OpenVAS scans for over 25,000 known vulnerabilities, though it takes a techno-geek to install.
Both of these tools may deliver an overwhelming list of potential issues. Use the level of potential vulnerability to prioritize those issues most likely to affect your site. Then tighten down the rest over time.