You’ve built a website, and you are ready to take it live. Before you do, you need to make sure you secure it. Even if your site does not store any sensitive data, it could get hacked to act as a temporary server for malicious purposes like relaying spam emails, botnet propagation, and even bitcoin mining. In this article, you will learn how to secure your website against attackers.
#1. Always keep your software and platforms updated
Any well-maintained piece of software will routinely release security patches. Software vendors and hackers are in a never-ending battle similar to predators and prey in the wild. Animals that are prey, like the hairy frog, evolve new techniques to trick and evade predators. Eventually, the predators catch on, and the prey must develop new methods to fend off predators. Similarly, hackers are always looking for security exploits in software. Eventually, they find them, which forces software vendors to release patches to fix the vulnerabilities.
This game between hackers and software vendors never ends, so you need to make sure to implement software updates immediately to keep your website safe. The same applies if you are using a CMS. Every second you wait to install software updates is a second your site is vulnerable to an attack.
#2. Install security plugins, if available
Open-source software is one of the backbones of the internet. One problem with open-source software is the code is accessible to people with malicious intent, like hackers. Because the code is public, they can go over it to identify security loopholes and release hacking scripts exploiting them.
To help combat this, you should install any security plugins that are available for the software or platform you are using.
#3. Use HTTPS
HTTPS is more secure than HTTP because it is encrypted. You should always use HTTPS. It no longer costs a fortune to get a security certificate and maintain it. With websites like Let’s Encrypt, you can obtain security certificates for free if you only need the most basic level of security.
You can always pay for certificates to get even more security.
#4. Use Parameterized Queries to Avoid SQL Injection Attacks
Running database SQL queries is done on most websites. Under normal circumstances, the collected user input is combined with an SQL command to run a query. Without the proper safeguards in place, a hacker can input a perfectly legal SQL command that modifies, updates or deletes database elements.
To counter this type of attack, you should use software designed to defend against SQL injections. Never try to write software to prevent SQL injections yourself.
If you are using XSS, hackers can input JavaScript code as input. You can avoid this by ensuring that you have explicitly defined the types of inputs acceptable from users.
#5. Set file and directory permissions
To secure your website, you need to pay attention to your file permissions. Make sure you only give read, write, and execute permissions when necessary.
As a general rule, you should always err on the side of giving fewer permissions.
#6. Use strong passwords and keep them safe
Did you know 123456 is still the most commonly used password? Weak passwords mean weak security. You need to put measures in place to make sure everyone using your website, including yourself, is using sophisticated passwords. A single weak password can let an attacker in, rendering all your other efforts to secure your site worthless.
Depending on the level of security required, you should encrypt your passwords using simple or hash algorithms to keep them safe.
#7. Secure uploads by users
Websites that allow users to create accounts and upload files are the most vulnerable to security attacks. If you are allowing users to upload files, even if it is just an image to change their profile picture, you still need to make sure they cannot upload hidden scripts that could compromise your website’s security.
Finally, here are some additional steps you can take to prevent malicious attacks :
- Set up a firewall.
- Limit access to ports.
- Use secure transfer methods like SSH and SFTP for Internet uploads.
- Keep your web and database servers separate.
- Physically secure your servers.
Website security is not a one-time issue; you must be vigilant over the lifecycle of the project to secure your website from threats. Starting correctly, with as many security systems in place as possible, will solve many potential security issues. By following the tips in this article, you will be on your way to maintaining a secure website, but remember to always be thinking about security.
Want to learn to program? Register for my free Self-Taught Coder Masterclass where I cover how I went from a novice to a software engineer at eBay in less than one year.