Simple Things You Can Do Right Now To Protect Your Site From Attacks; Only One Involves Code
In my experience, most site owners are aware of the web security dangers rampant these days, but often turn a blind eye for one of two reasons; naïveté or ignorance.
Many blog and small business or local business site owners, particularly using WordPress, just don’t think their website is large enough or has enough of a following to be noticed by hackers.
Other site owners don’t think they have anything worth stealing, as they’re only a blog full of content and affiliate links.
The size of your site doesn’t shield you, in fact, it makes you a larger target. After all, websites like CNN or YouTube have millions of dollars and entire web security departments dedicated to maintaining the availability and security of their site. Sure, hackers and scammers try, but they don’t get often succeed.
Which site would you rather spend time attacking – a giant with a massive cybersecurity arm or dozens of small sites with no security resources whatsoever. Data stolen from a hundred small sites does add up to a very valuable bounty.
Use SSL To Secure Your Website
These days, it should go without saying, but the first thing any site must do is install a secure certificate to protect all data during transmission to the browser.
This quick and often free step guarantees that all data sent on your site is encrypted, meaning it can’t be tapped, copied or stolen.
Protect Against SQL Injections
This type of attack allows an intruder to gain access to your database to install and activate malicious code. This attack is particularly damaging because the attacker can get all of your stored data; customer information, emails, intellectual property, billing specifics and even credit cards should you store them locally.
Attackers will use SQL Injection to bypass authentication and authorization measures on your website and can view, edit and download any or all records in your database. Oftentimes the attacker will create an administrative account with full access to your entire system, essentially taking complete control.
You can use a parameter-based query to prevent this from happening. This tactic works on most databases.
A current database query looks like this:
You’ll want to change that relatively simple string to appear more parameterized like the following:
Of course there are many very effective premium software solutions to protect, encrypt and prevent SQL Injections. ServerWise utilizes a full SQL protection suite for all our clients.
Pay Attention To Your Email Ports
If you’re managing your own mail server, take a look at your email transmission ports, as they’re a prime target for an easy hack or attack.
If your email port (incoming and outgoing) is set to the following ports, then your communications are NOT secure, and you are open to attack:
- SMTP Port 25
- POP3 Port 110
- IMAP Port 143
To increase your communications security, change to the following ports, which are automatically secured with encryption on all servers:
- SMTP Port 465
- IMAP Port 993
- POP3 Port 995
Disable All File Uploads
Allowing users to upload anything to your server involves great risk, even a simple avatar can carry malicious code that injects itself into your server and rolls out the welcome mat to attackers.
The most obvious and best solution is to stop allowing any direct file uploads on your website. Should your site visitors or users need to submit a file, the best practice is to create a secure form (easy to do if you’re using WordPress) with a simple file attachment that does not download and save the file to your web server (even outside your public docs) but instead zips the file and transmit it via email to a Google or Outlook account.
Essentially, you’re using Google or Microsoft to scan the attachment for vulnerabilities or malicious code before you download it.
If your business requires file uploading by your customers, you’ll want to use the most secure transmission method, like SSH or SFTP (the secure version of file-transfer-protocol). And you may consider separating your document server from your database or web server, that way if malicious code does sneak in the damage will be limited and your customers will not be affected.
You may also use geo-specific IP blocking to prevent any users from outside your customer base from accessing your site or uploading a file. After all, if you don’t do business in Russia, no one with a Russian IP address should be sending you anything.
Alternatively, you may shortcut it by using a whitelist, ensuring only IP addresses that originate from specific countries where you do business may upload a file.
Invest In A Fully Managed Secure Host
If securing your own web infrastructure and ensuring it’s immediately scalability is daunting, or you simply have better things to do with your time (like building your business) consider investing in a fully managed host like ServerWise.
If you’d rather go in alone, the methods I listed above won’t guarantee your site’s security, but they’ll make your server more secure and less appealing to hackers and attacks. You’ll have one less thing to worry about at least.
We tested Smush Pro CDN, WPMU DEV and Bunny.net and switched to Bunny CDN with no regrets. Faster, flexible, no WordPress plugin required and cheaper. Let me explain. Keep Learning >
You installed the SSL certificate, but your users are seeing a trust-busting mixed content error message. Fix it quickly and easily before your visitors lose confidence. Keep Learning >