Hacker-Proofing Your Website


Google the word hacker and what floats to the top? A website called elite-hackers.com. This nefarious site offers hackers and hobbyists the latest information on new viruses, programs and Windows vulnerabilities to keep them abreast of “what is happening” in the colorful world of cyber terrorism. Nice, huh?

So why would a hacker want to mess with your business’s website, anyway? Lots of reasons. They could steal customer data, hijack your server to relay spam or use automated scripts to exploit certain website software loopholes.

So we thought that it might be helpful to give businesses like yours a few tips on how to make your company website more hacker-proof.

1. Update your software
This is an easy one. Keeping your software up-to-date is vital to website security. This includes everything from the server operating system to any software that’s being used, such as a CMS. Once a security hole is discovered, hackers use it until more secure updates are put in place. Most vendors have an RSS feed detailing any site security issues. WordPress, Umbraco and other CMSs will notify you the moment an update is available. Don’t dawdle. Update.

2. Double-check form data
To protect your site from malicious code being introduced by hackers placing JavaScript code into a web form, always insure you double and triple check the data being submitted. Encode or strip out all HTML.

3. Watch your error language
Be careful not to give away too much information in your site’s error messages. You should keep error messages vague and generic. If there is login failure simply send a message that says “incorrect username or password.” Never tell a potential hacker that the username is correct if the password is wrong. Knowledge is power.

4. Avoid SQL injection attacks
This is where you might want to send this blog entry to the IT department. Always use parameterized queries to avoid hacker attacks on your site’s web form fields or URL parameters. If you are currently using standard Transact SQL, it is easy to unknowingly insert rogue code into your query and allow hackers to delete data, snatch information or change tables.


5. Dual validation
Make sure validation is done both on the server side and browser side. You double your security this way.

6. Enforce password requirements
As much as users hate this, enforcing password requirements is essential to data security. Make the password a minimum of eight characters, include a number and an uppercase letter.

7. Encrypt all password information
Passwords should always be stored as encrypted values, preferably using a one-way Secure Hash Aglorithm (SHA). This way, when you are authenticating users you are only comparing encrypted values. If you are using .NET then it’s worth using membership providers as they are very configurable, provide inbuilt website security and include readymade controls for login and password reset.

8. Limit file uploads
Letting users upload files to your business’s site is a giant security risk––even for something as innocent as an avatar. Any uploaded file has the potential of containing a malicious script that when executed opens up your server to mayhem. By their default setting web servers won’t attempt to execute files with image extensions. But this alone is not adequate protection. Your best bet is to totally avoid uploaded content.

9. SSL offers TLC
SSL is a protocol used to provide security over the Internet. It’s a good idea to use a security certificate whenever you are passing personal information between the website and web server. Otherwise, hackers could sniff out this information and––if the communication medium is not secure––snag it to gain access to user accounts and personal data.

10. Test your site
Once you have done all of the above to fortify your site, test it. There are several free tools worth checking out: Netsparker, Open VAS and Fiddler . There are also some helpful modules available for CMSs to check your installation for common security flaws, such as Security Review for Drupal and WP Security Scan for WordPress.

Do everything suggested and will your website be hack-proof? Not by a long shot. Hackers are a tenacious lot. Plug up one hole and they will discover another. But if you are vigilant, and you do everything that is outlined above, your site security can be vastly improved. If you would like further assistance optimizing your business’s website and making your digital marketing work harder, feel free to give me a toll-free call at 866.642.7559.
We are a Dallas Advertising Agency with expertise in website design and development.