Is Your Website a Sitting Duck for Hackers? Cybersecurity Best Practices

If your website gets hacked, the hackers behind the scenes can wreak all kinds of havoc on your website, your database, and even your company’s reputation in ways you may not even realize. They can steal personal information and credit card numbers, shut down your website, destroy your information, inject your content with malicious links, use your server as an email relay for spam, store illegal files on your server, install spyware or spybots that monitor the activity of your users … the list goes on and on. Which is why you have to ask yourself, is your website a sitting duck for hackers?

And then, let’s talk about the cost. According to a 2016 IBM study, the average cost of a data breach to a company can be $4 million.

How likely is it that you could be hacked? According to an Identity Fraud Study released by Javelin Strategy & Research, 13.1 million U.S. consumers had money stolen from them via identity theft and cybercrime in 2015. Another Identity theft report cites 781 data breaches in 2015. Hackers and cybercriminals are out there looking for weak security. So, how can you help protect yourself, your customers, and your data and make sure your website isn’t a sitting duck for hackers?

Keep software up to date

Software companies regularly update their programs to make sure they aren’t vulnerable to cyber attacks. Keeping up with these system updates is important. You should do the same with applications and website plugins. The security layers that have been coded into software, applications and plugins you use will only protect you if you are running the most updated versions.

Use SSL Certificate

SSL stands for “Secure Sockets Layer”. It’s just like it sounds: a layer of security that protects information passing between your website and web server or database. SSL Certificates prevent the information from being read in transit and are standard internet security protocol. How do you know when a website uses SSL? Easy – their url starts with https:// instead of http://. And savvy consumers are definitely looking for this before they pass personal information through any forms or other portals on your website.

Use a web application firewall

A web application firewall creates a first line of defense for your website. This type of firewall inspects incoming traffic and weeds out suspicious or malicious requests.

Use antivirus software

The programs you run may have security measures, but you want as many layers of protection as possible. Antivirus software prevents infections caused by malware from ruining your database or programs.

Disguise your admin directory

Your admin directory is a gold mine of information that Hackers would love to get their hands on. Hackers can use scripts that scan the directories on your web server, looking for files and folders called “logins” or “admin”. So, don’t use names that will giveaway these important documents.

Use extra caution with forms

There are several ways hackers can affect your website or get in via forms. So, keep these best practices in mind as you’re programming and using forms on your site.

Always check the data that’s submitted through a form, and encode or strip out any HTML. Hackers use a technique called cross-site scripting (XSS), where they try and pass scripting code into a web form in an attempt to run malicious code for visitors to your site.

You should also disable auto-fields for the forms on your website to protect against hackers who may have possession of someone’s computer or phone. The auto-fill function will give them all the information they need to get in, steal someone’s identity, and do serious damage.

Finally, when dealing with forms on your website, always use parameterised queries for your SQL. This will prevent a SQL injection attack, one of the most dangerous web vulnerabilities. These attacks happen when a hacker uses a web form field or URL parameter to insert rogue code into your query. The results could be disastrous to your database.

Watch what your error messages say

Be careful how much information you give away in an error message. For example, if login information is incorrect, you don’t want to give away which part was incorrect. Be vague by using phrases like “Wrong username or password,” so hackers don’t know which form fields they are getting wrong.

Rethink allowing users to upload files

Allowing users to upload files can be a huge security risk – even for little things like avatar photos. No matter how trivial the file may look, it could contain script that, when executed, opens you up to attackers.

Limit the number of login attempts

Multiple login attempts could mean someone is desperately trying to remember their password – OR someone is desperately trying to get in. While it may be frustrating for those who can’t seem to remember their login credentials, putting a limit on the number of login attempts is a best practice.

Network security

You can do all the things listed above to secure your server and still become vulnerable, if someone on your network is careless. To keep your network security strong:

  • Scan everything plugged in to the network for malware
  • Make passwords expire after a certain time period
  • Require strong passwords

Use strong passwords

This advice should seem like a no-brainer, but ‘12345’ is not an acceptable password. Hackers use all sorts of tactics to figure out passwords, which means using strong passwords is extremely important. Make sure your password has at least 12 characters and is a combination of numbers, symbols, and upper and lower case characters. You should also never use the same password for multiple sites. Best practices these days include coming up with pass phrases (such as sentences instead of single words) and then subbing out numbers and symbols for some of the letters. For example, “timetowalkthedog” could be made stronger by writing it as [email protected]!” (and then throw in some random symbols in the beginning, middle, or end, just for good measure). The phrase serves as a mnemonic device, yet this password would be difficult to break.

If you collect personal client information or run an ecommerce website, you have a legal obligation to secure your website. As a business owner, it’s in your best interest to ensure your own system is safe and secure and that hackers are not using your server to conduct illegal activity. There’s a lot of damage that can be done, so make sure your website is not a sitting duck. Secure it using these security tips.

Have more questions? Wondering how secure your website and systems actually are? We’re available if you have more questions. Reach out to us at RTS Labs – we’re always ready for interesting conversations!