Best Security Tips from Pro Developers to Protect Website from Hackers

Best Security Tips from Pro Developers to Protect Website from Hackers

3269 Views
3 Comments

When we talk about website security, many people say, why I should care for security of my website. There is nothing worth stealing or being hacked on my website. This is the common perception among many website owners.

Let’s take a look at it in a more layman’s term:

Your website is an online property owned by you and it represents you or your business. Suppose you construct a couple of rooms on a plot of land you own but you do not place any valuable furniture there. It is only for the purpose of enjoying a weekend with some friends away from the city. Now, will you leave it without any security like doors, locks etc.? The answer would obviously be a big “NO”. There is always a chance that some unsocial elements might make it home for their wrong activities. Same is the case with a website.

Now, let’s talk about various scenarios where a hacker might hack your website, even though, there’s nothing worth stealing on it and how it may affect you.

Mainly there are two reasons because of which a hacker might target your website:

  • To harm you or your business. It can be done by a competitor or for some personal enmity. Although it is a rare case, you must not remain aloof about it.
  • For their personal benefits and it does not matter to them who you are. This case is very common and most of the webmasters must be on a constant vigil related to it.

Now that we understand why your website might get hacked, let’s look at how you would get affected by this security breach.

  • If a hacker manages to hack a page of your website, he may tweak it to redirect the traffic to some other page. The main aim of this security breach is not to harm you but to get visitors to his website. But the bottom line is that you are losing visitors. Now, suppose that the redirected webpage belongs to a porn or an offensive website. This would surely harm your reputation or may invite some legal actions against you.
  • The hacker may add a link/image to your webpage which says “Like us on Facebook”. The visitor will click the button to like you but, in fact, end up liking the Facebook page of the hacker’s website. The hacker gets more likes this way and you end up losing valuable followers.
  • A hacker may add some malware on your webpage that triggers a download/install request every time a visitor open that particular page. This would tarnish the online reputation of your website among the visitors.
  • Your website could also be used to send bulk spam emails to random users.

These are some of the most common examples which might happen to any unsecure website. Now the big question that would be clouding your mind is how to avoid these situations and keep your website secure

Security is a very vast and complicated topic. While having discussions on website security, it is often said, “We cannot make a website fully secure, but let’s make it as tough to penetrate as possible.” And we really mean it. If you search a little you would find that security loopholes are discovered many a times even in websites of major tech giants like Apple, Google, Yahoo, Sony etc. They have best of engineers working for them but still nothing is impenetrable. But it does not mean that we should ignore security. So, understand what security flaws should be avoided so that you do not become soft targets to hackers. None of these is less or more important because your software is as secure as the most insecure piece of code it contains.

Take help from website experts to secure your website

1. Outdated software

Your website is developed over a stack of several software/scripts which are not developed by your developer but other companies or open source communities. Those software/scripts go through a process of testing, bug fixing and release of patches, then again testing. When newer versions of those software are released, support for older versions is removed, leaving it vulnerable.

Hackers can easily find out which software/scripts your website runs on and can exploit flaws in the outdated software/scripts. This point becomes more relevant in case your website uses scripts like WordPress, Magento etc. (We will discuss security in open source or ready scripts vs custom developed software in another article soon). But it does not mean that open source or ready scripts are less secure in any way.

2. Unused Pieces of Code

This again is a major issue when you use third party software/scripts. The code that exists on your server but is not being used by your website is simply ignored. It is not just a few kb/mb of files on your server, but it’s a piece of software which can be exploited by a hacker because you are not going to update it. Let’s take a look at some examples:

  1. Suppose you are running a WordPress blog and your developer tried a plugin once which he later uninstalled. But its scripts will remain on server which might become old and outdated with time. If that version of plugin is found to have a security flaw it can be exploited by the hacker, then your website might become vulnerable to security breach.
  2. Suppose your website uses a WYSIWYG html editor. You need image upload feature too in that. Your website is developed with dot net. Your developer made the dot net part of that image upload plugin secure, but the plugin contains code for php, Perl etc. too. Your server might support these extra codes which can be used by the hacker to easily upload/delete files on your server.

3. Third party software/code/plugins from untrusted sources

These days all or most of the websites use a lot of third-party libraries for additional features. That code becomes a part of your website. That code needs to be from some trusted source and constantly updated for security fixes. Third party plugins from untrusted sources can lead to malicious code in your website making it easy for a hacker to breach. It also matters if the third party libraries are implemented in your software the way they should be. A wrong implementation may also invite security issues.

 4. SQL Injection

Almost all the websites these days use some type of database to store the data. SQL injection is a way to manipulate the database queries written by your programmer. Your programmer creates database queries by combining some predefined strings and user input data. Hacker can input some additional data which modifies the meaning of query written by the programmer if it is not handled properly.

For example: The following is a query written to authenticate a user’s username a password. Your programmer writes query like

SELECT {field1}, {field2} FROM {usertable} WHERE username = ‘{posted_username}’ AND password = ‘{posted_password}’;

Now, suppose a hacker enter username as:’ or ‘’ = ‘ and same password.Then your programmer’s SQL query will become

SELECT {field1}, {field2} FROM {usertable} WHERE username =’’ or ‘’ = ‘’ AND password = ‘’ or ‘’ = ‘’;

Which is true always. Hence, the hacker will manage login into your system most probably as an administrator because the administrator is the first user of any system normally. Then he can change anything the administrator can for your website.

Or in case of say a page where query is like
SELECT * FROM content WHERE id = {id_passed_in_url}

Your developer, in this case, expected the url to be something like
page.php?id={some_number}

but the hacker makes url like page.php?id=3;update content SET content_text = ‘Website is moved to hackersite.com’

This may change content of all the pages of your website to “Website is moved to hackersite.com”

 5. XSS (Cross site scripting)

In this case, the attacker tries to change the content on your webpage by posting some JavaScript or some content at other allocated resource. Let’s take a simple example:

Suppose your webpage has an article and below it there is a form where the visitor can post comments on the article. Now a hacker may write comments in the comment box and also write some JavaScript like:

<script type=”text/javascript”>
$(‘#mainbody’).append(‘This article was taken from the_hackers_website.com’);
</script>

Or he may write a code there to display a form in the main content of your page which says enter your email ID and phone number but the information would be sent to the hacker, not you.

6. Hosting with bad websites

If your website is hosted on a shared server and another website on the same server machine is compromised, your website can also become vulnerable.

7. Accessing your websites ftp or control panel from a compromised machine

If your machine or your developer’s machine is compromised and you access ftp accounts or control panel of your website from that machine, the website credentials may be at risk. So, you should always use genuine and latest updated software on your machine and also be careful to keep your machine secure.

This was a brief discussion about a very few basic things to be taken care. Which points and up to what extent your website should be tested depends on several factors like technologies used, the base of the framework used, features of website etc. Also, it matters a lot if you’ve access to the code of the website. But at a minimum your website must be tested for SQL injections and XSS at the first stage.

Website security should never be taken for granted and proper steps should always be taken to avoid intrusion. FATbit Technologies realizes the importance of website security and incorporated security policies to ensure the optimal security of its client’s websites.

If you have any concerns regarding the security of your website or want a detailed analysis

Disclaimer: The Blog has been created with consideration and care. We strive to ensure that all information is as complete, correct, comprehensible, accurate and up-to-date as possible. Despite our continuing efforts, we cannot guarantee that the information made available is complete, correct, accurate or up-to-date. We advise - the readers should not take decisions completely based on the information and views shared by FATbit on its blog, readers should do their own research to further assure themselves before taking any commercial decision. The 3rd party trademarks, logos and screenshots of the websites and mobile applications are property of their respective owners, we are not directly associated with most of them.



Leave a Comment


CAPTCHA Image
Reload Image
Comments (3)
Jason

I also feel that duplicate content is harmful for a website, as it lowers the page rank. I can suggest adding a duplicate checking device (my personal choice is Copyact.

William Kent

I also feel that duplicate content is harmful for a website, as it lowers the page rank. You are sharing useful tips on website security, thanks for sharing !!