How do I secure my site?

sloane1 · August 21, 2014, 4:45am

Hi Guys, I am currently working on company’s website but I don’t know how can I secure my website from several attacks
if you have any answer
please provide

arout77 · August 22, 2014, 3:34pm

Not to be discouraging, but this is an immensely intricate topic…there are very many different ways to attack a web site. The old proverb about the chain only being as strong as it’s weakest link definitely applies here. Perhaps if there is specific areas of concern that you’d like to discuss, you can bring them up specifically, otherwise I don’t think you’ll get many responses

hectorconey12 · August 27, 2014, 1:31am

Protecting a website is possible only by continued efforts. I agree that there can be a variety of ways for your website to be attacked. But there are also a lot of ways you can protect it. Have you tried researching the web for tips?

WolfShade · August 27, 2014, 1:33pm

Most of the security is handled by the host provider. If you are hosting it on your own, you have a lot of work to do.

On the flip side, as a developer there are many things that you can do to help reduce your site “attack surface”.

One of the biggest and (IMHO) most important things: SANITIZE USER INPUT.

Don’t just assume that all users are going to be benign and enter correct data - there are SQL injection attacks and cross-site scripting (XSS) attacks that are usually mitigated by sanitizing (stripping out certain things) user input.

Also, using parameterized queries helps reduce the risk of SQL injection. I’m not sure how that’s done in languages like ASP or PHP; but ColdFusion/Railo/Blue Dragon makes it very simple: cfqueryparam tag. (There’s also [URL=“http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7d52.html”]cfprocparam, if you’re using stored procedures.)

HTH,

dklynn · September 1, 2014, 10:22am

WS hit the nail on the head! NEVER allow user input to touch your database without being thoroughly checked for your EXPECTED submission (and quote scrubbed). SQL stored procedures will help with this but be sure that magic quotes are off (now the default), ALL variables are set to null before attempting to assign to a variable and all variable content checked by pattern matching the contents THEN using a function like mysqli_real_escape_string() to remove the single quotes … or change them to '.

Yes, strong passwords for your FTP (and database) are essential, too, but everyone know about those so I won’t harp on them.

Regards,

DK

WolfShade · September 2, 2014, 1:09pm

@dklynn ; I’ve been considering ‘ethical hacking’ as a career. How much learning/training is involved?