system — 2012-08-20T07:59:28-04:00 — #1
Recently I have developed a site but I am not satisfied with its security. I want to get it more secured for hackers. Can you please suggest me new ways to protect my site form hackers.
edgarzakaryan — 2012-08-20T10:42:48-04:00 — #2
Hi, there is no a way that will protect your site from hackers at all. You should look at any steps.
For example if you are getting some values form url, for example id and use it to select something from database, before making query, you should filter that value (you have to filter any value that comes from users, if you will not do that, hackers may use SQL injection).
Or if you are uploading images, you have to check that file to be sure that the file is image.
dklynn — 2012-08-20T23:08:58-04:00 — #3
First, WELCOME to SitePoint!
Second, please look through the threads in this board as there is a wealth of information here.
- Use VERY strong passwords
- Keep your "canned" programs up to date
- Use defensive coding. This includes edgar's admonition to validate and remove dangerous characters (<, >, http://, href://, ', ", and many others). If you're expecting a name, would you allow =? 9? etc.
- Verify uploaded files, i.e., that they were uploaded (rather than the server's password file) then, if an image is expected, PROCESS that image before moving it to your webspace, i.e., create a new image file and rescale the image (to change it) before saving to your directory
- Ask your host to run a maldet CRON on your account nightly. It will report any files containing malware at which time you MUST replace it with your original then look for the security hole you have
- Run your own nightly CRON scan to ensure that your files have not been changed, deleted or added to
While VERY strong passwords are exceptionally important, I believe that using good coding is the most important. Just ACT paranoid in your programming (test, test and test again) and you'll save yourself many hours/days of recovery effort.
FWIW, I've just relocated and configured the control panel to ignore/ban any illicit attempts to gain access. I've had several attacks each day with some coming so fast that the banning didn't have time to take effect! I'm not paranoid but there are those out there trying to get me (although I am sure that I'm anonymous to every one of them). Fortunately, the seemingly paranoid protections are doing their work!
snickn — 2012-08-23T10:17:05-04:00 — #4
I tend to suggest it often, but Cloudflare helps quite a bit in protecting your site against hackers
bgil — 2012-08-24T20:54:49-04:00 — #5
You definitely want "bullet-proof" code and SSL, and do not help hackers with error messages like: ID is OK, but password is too short. If someone REALLY wants into your site, they can automate a signon script to try all IDs and passwords, and would eventually sign in. In computer time, it could take awhile, but that may not be so long in human time. One trick is to temporary lock out an ID for 30 minutes after 3 to 5 invalid signon attempts. The script keeps running, but doesn't know it's not going anywhere. If there are 3 temporary lockouts in an hour, shut down that ID. The flip side is that inconveniences the legitimate person with that ID, so be able to contact her. Also, if it's an admin ID, be sure you have alternative IDs to signon with. Of course, if someone guesses and ID and password on the first try --- oops.
system — 2012-09-10T07:56:35-04:00 — #6
Everything starts from up-dated software - from the OS to the coding language, as well as strong and quality programming of your application. Many CMS based sites are vulnerable if outdated. Also consider file/directory protection and defining .htaccess files in your hosting account.
the_wanderer — 2012-09-11T00:22:21-04:00 — #7
Ways to protect your site will vary depending on where you are hosting the web site. Generally speaking protecting your site involves ensuring the web application is coded securely (no injection flaws, XSS or other web app vulnerabiltiies) AND that the server (operating system) is secure.
If you are hosting your site on a server you control you could use security enhancements like mod_security, the open source host based security agent ossec and general operating system hardening.
If you are using a managed hosting service, then it is a good idea to go with a provider that takes security seriously.
maxmash — 2012-09-11T00:37:03-04:00 — #8
First of all get very good secure hosting, also make sure that you have a back up of your website every week or alternate day.
Use captcha for spam and use strong passwords. A lot depends on what framework you are using as per which you can customize your security.
Hope these small tips help
duncanm — 2012-09-15T15:44:24-04:00 — #9
Also, make sure file permissions on the server are set correctly, and do NOT save your username and password in your FTP software.
system — 2012-09-22T23:57:21-04:00 — #10
It would as well be good to have a good antiviros program and malvare protection on your work computer.
peterjohn123 — 2012-10-15T16:42:33-04:00 — #11
1.Website security is one of the biggest concerns of most website owners,
2.Making regular backups of your website is very important,
3.Open Source software is software that is freely available for anyone to download and use. While using free software is a great way to build your website, one of the negatives is that hackers also have access to the code to find ways to exploit it.
felgall — 2012-10-15T17:31:46-04:00 — #12
That's actually one of the positives since when security holes are easier to find they tend to get fixed far more quickly and so such software is likely to contain far fewer security holes than softare where the source isn't available.