1stwebdesigner |
Is My Website Ready for Some Serious Hacks? Posted: 31 Jul 2014 06:00 AM PDT The issue of website security has been a top priority for web designers and developers for a long time. In the course of Internet's colorful history, a lot of methods and tools have been developed (and some are still at the brink of development) to ensure that websites will be hack-proof, or at least be ready for some serious hacks. What drives all the motivation to lock-down websites is, of course, business. As we all know, websites drive income and leads for a lot of companies. These companies thrive to target the new market. This market mainly resides in the digital world, to further increase their chances of conversion – and in the near future – income. On the other hand, some websites prosper mainly from driving traffic and converting clicks into cash. Blogs are great examples. They mainly sell information, which can be used to create tangible and perceivable products.
Either you may be designing an online store, a niche blog, or maybe even just a corporate website, protection should always be put in mind. Now, as a web designer/developer, you are tasked to not only create beautiful and running web pages but also to keep it protected from parties that would want to penetrate and take advantage of it. You need to enforce security measures to prevent the dreaded situation of being hacked. There are a lot of ways of hacking a website. By this, many measures should be implemented to prevent these unfortunate situations. However, there is no single fool-proof way to prevent and eradicate hackers. The best thing you can do is to make the invasion really difficult to a point where the hacker just gives up. In this article, you will know the measures you could take to make your website ready for a possible breach. You will also be reading some of the most common techniques hackers use to compromise your website's security. Common Hacking MethodsAs I've said, there are various methods in penetrating through a website's security. Hackers employ these methods to destroy or manipulate the website they are about to hack. We are introducing these to you so that you can apply your security measures to prevent and fight such shenanigans. SQL InjectionYou cannot deny that SQL Injection is listed as one of the most dangerous attacks against websites and systems. It mainly involves the input of SQL codes into forms like login fields or even in the browser address field. Doing so will give the hacker access to the database of the website or system. Once you enter your username and password in the login forms, the data that you are keying will be inserted into an SQL command. The said command will check the data that you just entered and compare it against the relevant table in the database. Once the two values match, you will be granted access. Otherwise, you'll not be able to log in. SQL Injection attacks happen when a hacker tries to paste SQL commands into your website fields. In some normal cases, the website will just check the data being entered by the user and validate it. In the event that a data contains a simple single quote (') at the end of a username, your database might see this one as a constructed SQL. Because of this, it will be validated as a query. The hackers may not enter your website using this query, but the method will let them have access to your database name, tables and key fields. From these data, the hacker can now use the information he has to submit SQL commands into the other fields of your website. From then, they can see the contents on your database. How do I defend my site against this?
Cross Site Scripting (XSS)Commonly known as XSS, Cross Site Scripting is one of the more difficult hacks to deal with. In the past years, Microsoft, MySpace and Google have had a difficult time dealing with such cases. XSS deals with the use of malicious JavaScript routines that are attached within hyperlinks to take control over sessions, hijack ads in apps and steal personal information. You will surely remember this: You accidentally clicked a weird looking pop up and it leads to a website that seems like a messenger app. Then a cute girl with a seemingly questionable English chats you up and says, "You wanna see my p*ssy? Click here." With the what-the-hell-she's-hot-anyway mentality, you click the link and an address with a sketchy URL appears:
At some point, you may think nothing has happened. But boy, you have never been so wrong in your life. These links can help steal session cookies (sounds like you're being bullied) that can possibly lead to hijacking your personal information. How do I prevent this hack from happening?
Authorization BypassSimple as it may present itself, authorization bypass is very scary! Often used against poorly designed apps or CMS, this hack can wreck a total havoc in your website. It works in this simple process:
How to determine if my website is vulnerable?
If yes, to even just one, then, you might be vulnerable. Read more here: Owasp How can I protect my website?
Now, there are many types of hacks. The most common hacking techniques have been discussed. If there are something missed, please lead to the following links for more detailed information: Common Safety Measures to Prevent HacksAlways Keep Your Plugins and Software Up-to-DateNothing can make a hacker's ears clap than an outdated plugin or blogging program. They commonly fall as easy targets for outdated programs commonly have glitches, bugs or security loopholes. That is the main reason why they are updated in the first place. Let's put it this way, you are using a model of a door lock that has been lockpicked a thousand times. Would you expect the next lockpicker to have a difficult time in cracking your security? So, heed this advice, update now. Use Strong PasswordsHow many times does this have to be stressed out? Using strong passwords is very important. You may not have an idea about this but hackers are continually trying to crack or steal your passwords.. So, how do we craft an effective password?
Salt Method is a great way to keep your password secure. According to the principle, you should replace letters or numbers into special characters according to your own rule. We put this as an example.
So with this, we may make our sample password which is originally 'whoisjohngalt' as 'wh0!$j0hngalt'.
Business Insider recently released a method to create secure passwords that can be very easy to remember. According to the magazine, you should make a longer password because it will give computers longer time to guess it. The basic principle of this method is that you create a really long passwords using words that may not be significant to you or to each other.
We at 1stwebdesigner have also developed our own method of creating strong passwords. Here is a video of it: Use Google’s Webmaster ToolsGoogle has now a way in helping your website to be more secured. Using Webmaster Tools, you will be notified for the presence of malicious infections. In case that you fail to remove them and you become hacked, Google will help you by blacklisting your website. This provides you time to get rid of malware faster. The service also includes the details of the problem Google is detecting. Don't Display WordPress version numberAside from updating your blog platform, you should always prevent hackers from knowing what version of WordPress you are running on. Doing this will prevent them from exploiting security loopholes on your site. You can remove the WordPress version number by editing the functions.php of your site and add the following code: function wpbeginner_remove_version() { return ''; } add_filter('the_generator', 'wpbeginner_remove_version'); Turn register_globals to register_globals=offMany WordPress users have been vulnerable because they took this for granted. Despite being recommended by WordPress.org to leave register_globals on, you should turn it off because this setting has been the commonly hacked element in a WordPress site. Tighten your .htaccess file's security.Normally, your default .htaccess security is more open that it should be. However, you can tweak it to save you from URL hacks, SQL injections and other more hacks. There are a lot of ways to tweak your .htaccess, but we'll name the most useful ones (remember to back up):
Add the following and you will be able to sleep tight at night, knowing that bots and unwanted access will not be allowed from your wp-admin.php file. You can also include this method to other files like install.php and eror_log. Here are a few more codes to put in your .htaccess file. RewriteEngine On RewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]RewriteRule ^(.*)$ - [F,L]RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]RewriteCond %{QUERY_STRING} tag\= [NC,OR]RewriteCond %{QUERY_STRING} ftp\: [NC,OR]RewriteCond %{QUERY_STRING} http\: [NC,OR]RewriteCond %{QUERY_STRING} https\: [NC,OR]RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||ê|"|;|\?|\*|=$).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L] Source: RoalCoal My Website Has Been Hacked. What Should I do?Say that it's too late and you have already been hacked. What would you do? Don't start banging your head into the wall yet. Smashing Magazine has this wonderful article. Read it. ConclusionBeing hacked sure is a headache. You basically see your efforts crumbling down like a tower made of pastry. But an ounce of prevention will always be better than a pound of cure. So, while you're still okay, fix everything you need to fix before it all goes gaga. |
You are subscribed to email updates from 1stwebdesigner To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google Inc., 20 West Kinzie, Chicago IL USA 60610 |