Vincentas
Established Member
- Impact
- 4
Hey guys !
Alot of people today want or actually have a website. But do they really understand the possible risks and dagers on the internet?
You can never know when hackers or other institutions will target you, and people do not realize that your personal information is easily accessable.
I've tried to write few tips to help you prevent from such events and I hope you will find it useful.
1. Open source scripts. What is open source ?
Unless you are really skilled at what you're doing, it is a great idea to use open source scripts like
WordPress
Drupal
Joomla
Magento
help you with developing your website and protects you from your poor code, it is always easier to maintain a website when you have a full team of skilled IT specialists protecting you.
2. SQL injections. [ame="http://en.wikipedia.org/wiki/SQL_injection"]SQL injection - Wikipedia, the free encyclopedia[/ame]
The main threat from hackers to your website is the SQL injection. However, you simply prevent it by using parameterized queries or by using Microsoft SQL server. Microsoft's SQL Server supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the webserver is inevitable.
You can read more about the structure of an SQL injection here.
3. Password protection. Make sure you protect both yours and your visitors information with strong passwords. When registering new visitors, make a complexity cap by letting people create passwords with 8 or more symbols, including atleast one capital letter and a number.
Note: make sure your admin email cannot be found anywhere in your script, and make it completely different from your casual mail account.
Read more about password complexity here.
4. Hosting your website.
Most hosting providers will get the server configuration for you, but if you are hosting your website on your own server then there are few things you will want to check.
Make sure you have a good firewall and it is blocking all non mandatory ports. If possible set up a DMZ (Demilitarised Zone) to only allow access to port 80 and 443 from the outside world.
If you are allowing files to be uploaded from the Internet only use secure transport methods to your server such as SFTP or SSH.
If possible have your database running on a different server to that of your web server. Doing this means the database server cannot be accessed directly from the outside world, only your web server can access it, minimising the risk of your data being exposed.
And last but not least, don't forget about restricting physical access to your server.
More about hosting dangers here.
5. Make sure ou have a .htaccess file. [ame="http://en.wikipedia.org/wiki/Htaccess"].htaccess - Wikipedia, the free encyclopedia[/ame]
.htaccess files are often used to specify the security restrictions for the particular directory, and make sure you have not deleted it by accident or if it is there in the first place.
The next thing you can do is add a robots.txt file. What is a robots.txt file ?
robots.txt gives special instructions to search engine spiders as to which folders are to be indexed and which ones are not. Folders with documents, images etc can be kept under wraps from being indexed and displayed in public web searches.
6. Using SSL. [ame="http://en.wikipedia.org/wiki/SSL"]SSL - Wikipedia, the free encyclopedia[/ame]
If you are transmitting sensitive information on a web site, such as credit card numbers or personal information, you need to secure it with SSL encryption. It is possible for every piece of data to be seen by others unless it is secured by an SSL certificate.
Your customers won't trust your web site without an SSL certificate. According to Gartner Research, nearly 70 percent of online shoppers have terminated an online order because they did not "trust" the transaction. In those cases, 64 percent indicated that the presence of a trust mark would have likely prevented the termination.
So if you are really up to making and hosting a website, know the risks and dangers and be prepared for them.
Any feedback or comments highly appreciated.
I will try to edit as soon as I'll think of something useful.
Love,
Vincentas
Alot of people today want or actually have a website. But do they really understand the possible risks and dagers on the internet?
You can never know when hackers or other institutions will target you, and people do not realize that your personal information is easily accessable.
I've tried to write few tips to help you prevent from such events and I hope you will find it useful.
1. Open source scripts. What is open source ?
Unless you are really skilled at what you're doing, it is a great idea to use open source scripts like
WordPress
Drupal
Joomla
Magento
help you with developing your website and protects you from your poor code, it is always easier to maintain a website when you have a full team of skilled IT specialists protecting you.
2. SQL injections. [ame="http://en.wikipedia.org/wiki/SQL_injection"]SQL injection - Wikipedia, the free encyclopedia[/ame]
The main threat from hackers to your website is the SQL injection. However, you simply prevent it by using parameterized queries or by using Microsoft SQL server. Microsoft's SQL Server supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the webserver is inevitable.
You can read more about the structure of an SQL injection here.
3. Password protection. Make sure you protect both yours and your visitors information with strong passwords. When registering new visitors, make a complexity cap by letting people create passwords with 8 or more symbols, including atleast one capital letter and a number.
Note: make sure your admin email cannot be found anywhere in your script, and make it completely different from your casual mail account.
Read more about password complexity here.
4. Hosting your website.
Most hosting providers will get the server configuration for you, but if you are hosting your website on your own server then there are few things you will want to check.
Make sure you have a good firewall and it is blocking all non mandatory ports. If possible set up a DMZ (Demilitarised Zone) to only allow access to port 80 and 443 from the outside world.
If you are allowing files to be uploaded from the Internet only use secure transport methods to your server such as SFTP or SSH.
If possible have your database running on a different server to that of your web server. Doing this means the database server cannot be accessed directly from the outside world, only your web server can access it, minimising the risk of your data being exposed.
And last but not least, don't forget about restricting physical access to your server.
More about hosting dangers here.
5. Make sure ou have a .htaccess file. [ame="http://en.wikipedia.org/wiki/Htaccess"].htaccess - Wikipedia, the free encyclopedia[/ame]
.htaccess files are often used to specify the security restrictions for the particular directory, and make sure you have not deleted it by accident or if it is there in the first place.
The next thing you can do is add a robots.txt file. What is a robots.txt file ?
robots.txt gives special instructions to search engine spiders as to which folders are to be indexed and which ones are not. Folders with documents, images etc can be kept under wraps from being indexed and displayed in public web searches.
6. Using SSL. [ame="http://en.wikipedia.org/wiki/SSL"]SSL - Wikipedia, the free encyclopedia[/ame]
If you are transmitting sensitive information on a web site, such as credit card numbers or personal information, you need to secure it with SSL encryption. It is possible for every piece of data to be seen by others unless it is secured by an SSL certificate.
Your customers won't trust your web site without an SSL certificate. According to Gartner Research, nearly 70 percent of online shoppers have terminated an online order because they did not "trust" the transaction. In those cases, 64 percent indicated that the presence of a trust mark would have likely prevented the termination.
So if you are really up to making and hosting a website, know the risks and dangers and be prepared for them.
Any feedback or comments highly appreciated.
I will try to edit as soon as I'll think of something useful.
Love,
Vincentas
