Cartika Blog

Five Steps That Can Help Webmasters Avoid Many Site Security Issues

Site security is a complex issue. The online economy is huge and hackers stand to reap considerable benefits from attacks against sites that store sensitive data or give them access to large numbers of visitors. Hackers are a motivated and intelligent group of people, albeit a group with a consistent lack of concern for their fellow Internet users. In spite of the potential complexity of securing a site, attacks tend to fall into a number of clearly defined categories, and the mitigation of a significant majority of attacks can be achieved by following a small set of best practices. That’s not to say that by implementing the strategies we’re going to discuss here a site will be rendered impervious – that’s all but impossible, but most hackers focus on low hanging fruit, and by ensuring that a site is difficult to exploit, web masters will discourage all but the most persistent online criminals. In this article I’m going to discuss five areas of online security that all website owners should be aware of. I’m not going to deep dive into these potential vulnerabilities and mitigation techniques, but rather give site owners an awareness of the potential issues that they can use as a starting point for their own education.

Implement Password Best Practices

Poor password practices are an open invitation to hackers. The technology available to hackers for both stealing password databases and decrypting passwords has improved considerably in recent years. It goes without saying that passwords should never be stored as plain text, and should instead be stored using salted hashes, but that’s not a sure protection if users choose simple and easily guessed passwords. In addition to server-side password-storage best practices, users should be encouraged to use unique, long, and complex passwords, preferably in combination with a password manager like LastPass.

Sanitize User Input

Cross-site scripting attacks and SQL injection attacks are among the most common causes of successful exploitation and both can be largely avoided by proper sanitizing of user input to ensure that JavaScript or SQL code entered by users is never executed by the site. All user input should be properly escaped and otherwise sanitized so that the site can distinguish between legitimate code and user-entered data.

Keep The Software Stack Up-To-Date

This should be obvious but many sites fail to update their software in a timely fashion. Bugs and vulnerabilities will always occur in complex software, and there’s a constant battle between developers and security researchers on one side, and online criminals on the other side to remove potential exploits as quickly as possible. If a site doesn’t update properly, it’s more than likely that the old software version contains vulnerabilities that are known to hackers and have been closed in later versions.

Reduce The Attack Surface Area

The fewer targets that are available to hackers, the less likely they are to find an exploitable vulnerability. There are many ways of ensuring that a site presents a low surface area to attackers, but one of the most crucial is the removal of unused plugins from content management systems. If you use WordPress, for example, unused plugins should be removed, because they introduce potential attack vectors without providing any meaningful functionality.

Choose Secure Hosting

Most hosting companies boast about their security records, but time and again we hear about successful attacks that result from lax security procedures on the part of web hosting companies. Site owners can be as diligent as could be hoped for, but if their web hosting company drops the ball, then their efforts mean very little. By choosing secure web hosting, site owners are relieved of some of the burden of keeping their sites safe, especially if they choose secure managed hosting from a hosting company with a proven track record like Cartika. Image: Flickr/killrbees