Cyberattacks: 10 steps to protect your website

Cyberattacks: 10 steps to protect your website

Every day, countless websites become the target of attacks. Many website operators do not care about the security of their pages, although this is an extremely important task. So that you don’t (anymore) become a target of such attacks, here is the most important information to prevent attacks.

There are infinite types of attacks in this area. Maybe you have been a victim of an attack yourself and are now here to protect your site. Of course you can’t protect yourself against everything, but your site is much safer if you follow the following steps!

SSL Certificate

SSL certificates for websites are responsible for secure communication between client and server. Secure (encrypted) connections can be recognized by the lock in front of the domain and the preceding https:// as here:

In addition, certification authorities such as GlobalSign confirm the authenticity of a domain/website. This ensures that it is a real website and not a phising page or the like. Especially for pages with login you should always make sure that this lock appears in front of the domain.

If your website deals with personal data, you absolutely need an SSL certificate. The use must also be mentioned in the privacy policy in an appropriate paragraph. For more information, please contact your data protection officer.

In order to get such a certificate, you can buy it from your hoster for a fee. Alternatively you can generate a free certificate from Let’s Encrypt. If you use Plesk to manage your hosting, you can install the extension for free and protect your domains and mail servers.

FunFact: Google certifies its certificates itself 😉

For more information on SSL Certificates, contact GlobalSign.

SQL Injection

SQL Injection is the term used to describe the attack of introducing foreign SQL code into the server-side system of the server. This allows the attacker to obtain, manipulate, delete or even execute code on the target server.

Here is a small example. A MySQL statement is:

SELECT name, place, phone FROM index WHERE ID=4;

“4” was written into the SQL statement by a user input and everything is fine. However, if now the user input

4; UPDATE name SET place='irgendwo' WHERE ID=4

the SQL statement looks like this:

SELECT name, place, phone FROM index WHERE ID=4; UPDATE name SET place='irgendwo' WHERE ID=4;

An update command has been inserted into the statement. The attacker simply changed a record from the database. In this example, only an unimportant value is changed, but such attacks can also be adapted to password columns and important or sensitive data.

Protecting yourself from SQL injections is a big task and is not in the hands of every website operator. If you program database applications yourself, you should read more about it on the internet, like this one. If you only manage your website with plugins, you should read the step Updates carefully.

Here you can find a PHP 7.* database class, which is secured against SQL Injections and you can use for free for your website.

XSS (CORS)

XSS means cross-site scripting and is an attack that executes malicious code on the clients. How this happens is quite simple: In a form on a website you can of course write normal text. Let’s assume we have a guestbook where the text is simply displayed on the website, i.e. the user input is loaded 1:1 into the website. However, if the attacker enters JavaScript tags with malicious code instead of a text and this is embedded on the website, it is executed in the browser for all users. This is of course a considerable security risk.

CORS stands for Cross-Origin Resource Sharing and can prevent such attacks. It prohibits (or allows) connections for certain scripts or URLs. Therefore, you should definitely check your CORS configuration on the server.

Since this malicious code reaches the server via user input, it is advantageous to check every user input. You should refrain from blacklists. With blacklists, all user entries that are on this list are rejected. But since you never know which attack is used, it makes more sense to program whitelists. This means that you only allow user input that is on this list.

Further information about CORS can be found here.

DDOS Protection

DDOS stands for Distributed Denial of Service and is an attack in which the server is brought to its knees by overload. This happens because a huge computer network (botnets) “spammes” the server with connections.

Source: https://de.wikipedia.org/wiki/Denial_of_Service#/media/File:Stachledraht_DDos_Attack.svg

Fortunately, there are services that can stop such attacks. A provider is e.g. Cloudflare. Usually these services are however liable to pay the costs. Therefore you should consider carefully whether you need protection against DDOS attacks.

Passwords

This step is important for everyone. Not only administrators, but also private individuals should pay attention to secure passwords. This includes upper and lower case letters, numbers, digits and special characters. In my opinion passwords should be at least 8 characters and longer.

If you have chosen secure passwords, I don’t think it’s important to change them regularly. Since you then have a large number of passwords and they are hard to remember, you can make life easier with password managers like KeePass.

Session Management

Logins require sessions to know which user is logged in and to provide all services. Session data is stored to uniquely identify a user. In the past these were often attached to the URL:

https://example.com/dashboard?sid=89234nFJK98nkdf823njkFsdn387$

If you now send this link to show this page to friends, it is directly logged in. The session ID was sent with the link and the server thinks it is the same user. With acquaintances this is normally not so bad. But imagine, you share this link in a social network…

That is why many years ago it was decided to find another solution. That’s why today you can only find links that look like this:

https://example.com/dashboard

Here the session ID is stored in a cookie, which is only stored in the temporary memory of the user. Others who call the link have no possibility to take over his session.

So when you’re doing your session, keep that information in mind. 🙂

Public Informations

There’s information that doesn’t belong in the public domain. For websites this includes e.g. the PHP version and the file path of the website.

To illustrate this, I have here a very revealing example. With Google I have the possibility to search not only for certain search terms, but also with parameters e.g. for file extensions and quotations. So I can use this search to display pages that have a phpinfo file publicly accessible. In this file the complete PHP configuration of a server is revealed and we get a lot of interesting information about the server.

I entered this in the Google search:

ext:php intitle:phpinfo

With this search I got about 12,000 results. One of the first search results gave me this result:

Below are hundreds of lines with all PHP settings. This is fatal, because this server is still running PHP version 4.4.2. Already since 2008 the support and the further development of this PHP version is stopped and contains serious security holes.

Source: https://de.wikipedia.org/wiki/PHP#PHP_4

You should therefore delete these sensitive files after use or protect them with a password (e.g. via a .htaccess file).

You should also make sure that your display_errors variable is set to Off on live systems, because even there, attackers get information about the internal filesystem. It’s even worse with database errors. In the worst case, the access data is output here. This should be prevented at all costs. In your PHP settings you can instead specify that error messages should be written to a log file.

Validation

The subject of validation is a large area and interesting and even essential for developers. Validation is about checking and validating data sent from the client to the server according to certain rules. In doing so, invalid user data is rejected because it can also contain malicious code. This step is also important against XSS attacks.

Especially when data is written to a database, validation is even more important. This even allows server commands to be executed. In the worst case, even data can be deleted or servers shut down. This attack is called SQL Injection.

So it becomes clear what I mean by validation, here is an example in PHP:

<?php
$id = $_GET["id"];
$type = $_GET["type"];


// if id is not a number
if(!is_numeric($id)) {
	exit("id not valid");
}

// type must be one of the following strings
$types = array("slow", "slower", "normal", "fast", "faster");
if(!in_array($type, $types)) {
	exit("invalid type");
}

// Parameters successfully validated
// Code goes here

exit("success");
?>

Here the parameters id and type are passed as GET parameters. The script is aborted if id is not a number or type is not in the whitelist $types. The script is terminated by exit(). If the conditions do not apply, the rest of the code can be executed.

Updates

Almost every website is based on a CMS (Content Management System), such as WordPress, Drupal or Joomla. There are regular updates to ensure security. And this is not simply said so. Again and again new security gaps are found and closed as fast as possible by the developers. For this reason your CMS installation should always be up to date. With most CMS you can set e-mail notifications to be informed about new updates. You should use this and check your pages at regular intervals.

The same applies to the installed plugins. If updates are available, you should install them regularly.

Furthermore, your host system should always be up to date. Make sure you have the latest Linux (or Windows), PHP and MySQL installed. Again, patched versions will be released regularly to ensure user safety.

Before you update your site and plugins to the latest version, you should create a backup if something goes wrong during the update and you have to restore the old version.

Backups

Regular backups also contribute to the security of your website. If you notice today that your site has been compromised, you can easily go back to an old state and update it to close the vulnerabilities.

Depending on which server system you use, you can configure backups. Many hosters offer regular snapshots for free or for an extra charge. If you manage your hostings via Plesk, you can use the backup manager or directly create a shell script which backs up directories like /var/www/vhosts to an external backup storage. Your host will be sure to help you choose the right backup solution.

Conclusion

As you can see, there are many possible vulnerabilities on a website. However, if you take these steps seriously, the risk of a successful attack is much lower. If you look at statistics on how many websites are hacked, I think that many website operators take security lightly. But you’re smarter now and don’t make these mistakes.

If you have further tips or feedback, please let me know in the comments! 🙂

NEW 🚀
NEW 🚀
 

Leave a comment

Your email address will not be published. Required fields are marked *