Guidelines for Securing Websites

The Internet is not a very friendly place.  Thousands of Websites have been hacked in the past months. Internet security is EXTREMLY important. 

Most hackers are amature and have day jobs and only want to hack a website thats easy.  These are the easiest to protect yourself against.  You want to make your site a difficult to get into as possible so that they will give up and move on to easier prey. The smaller percentage are professionals and spend the majority of their time finding new ways and new security holes to take advantage of.  These are real threats and the below list will help in securing your website. Keep in mind that nothing in full proof, but if you are always conscious of your security and maintain steps you can better protect your websites.

 

Maintain minimum 4 hours backups on web servers that has data change on a regular basis, or backup after each change if modified once in a while.

Patch software used on the webserver for the website, The server OS, webserver software (Apache, IIS, etc.), Website software itself (Joomla, WordPress, Drupal, MODx CMS or other third-party software).

Check and patch vulnerabilities in website plugins (Commercial or Open-Source, Menus Systems, WYSIWYG editors, etc.).

Check for vulnerabilities in software on the local computer (Adobe Reader, Flash, Java, Microsoft, Apple, etc.).

Check and Patch for vulnerabilities in the code itself in the website (SQL injection, Code injection, Cross-site scripting XSS, Remote File Inclusion, Cross-site request forgery, Path/directory traversal, etc.)

Use strong, unique passwords for login that meet complexity requirements (Passwords must be minimum 7 characters. Passwords must not contain the users email alias, first name, last name or any part of the company name. Passwords must contain three of the four categories. Uppercase A through Z, Lowercase a through z, Base 10 digits 0 through 9, Nonalphanumeric characters "~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/". The "@" character must not be at the beginning or end of the password.).

Use server-side validation for login pages and other web forms.

Always use SSL Certificates on websites with login capability and force HTTPS.

Check file permissions ( ex. On Linux servers make sure that file permissions are changed from the completely open 777 to more restricted 755 (for folders) or 644 (for files).

If your site uses PHP, use suPHP for added security.  Without suPHP, the PHP scripts will run as the user “nobody,” meaning they have the system level access.  suPHP restricts PHP scripts to run as the actual user of the account.

Run webserver in a DMZ that has restricted access to the internal network if that is needed.

Employ Intrusion Prevention System (Cisco IPS, SecureWorks, etc.).

If working with really sensitive information such credit card payments or medical records, a Web Application Firewall (Cisco ACE, Imperva, etc.) can be employed.  These are very expensive and most small business can afford them. Amazon and PayPal use such a system for PCI compliance.

 

If you have any questions about the above, please feel free to contact us.