12 Tips to Protect Your Company Website From Hackers

Making your website live is like unlocking the door to your premises with your office and safe
open: Most of the people who visit your physical building will never even know that all of your data
is there to discover just by walking in. Occasionally you will find someone with malicious intent
who will walk in and steal your data. That is why you have locks on doors and safes.
Your website is just the same, except that you will never see anyone come in unless you have
protection systems in place. Electronic thieves are invisible and fast., searching for your website for
details of customers’ accounts, especially for their credit card information. You have a legal
obligation to protect this data from theft and to report security breaches that occur.
Theft is not the only thing on the mind of a hacker: Sheer destruction is a major motivator. Hackers
may want to destroy all your records, put a sick message on your customers’ screens or just destroy
your reputation.
You can never undo the damage done by a hacker, you can take steps to prevent it. Even the most
basic protection will discourage many hackers enough to make them go looking for easier pickings
elsewhere. Thieves are likelier to steal from people who leave their doors unlocked.

1. Stay updated.
You need to stay up to date with hacking threats. If you have at least a basic knowledge of what is
possible then you can protect your website against it. Follow updates at a tech site such as The
Hacker News. Use the information you gain to put fresh precautions in place when necessary.

2. Toughen up access control.

The admin level of your website is an easy way into everything you do not want a hacker to see.
Enforce user names and passwords that can not be guessed. Change the default database prefix from
“wp6_” to something random and harder to guess. Limit the number of login attempts within a
certain time, even with password resets, because email accounts can be hacked as well. Never send
login details by email, in case an unauthorized user has gained access to the account.

3. Update everything.
Updates cost software companies money. They only do it when necessary, yet many people who use
the software do not install updates immediately. If the reason behind the update is a security
vulnerability, delaying an update exposes you to attack in the interim period. Hackers can scan
thousands of websites an hour looking for vulnerabilities that will allow them to break in. They
network like crazy, so if one hacker knows how to get into a program then hundreds of hackers will
know as well.
4. Tighten network security.
Computer users in your office may be inadvertently providing an easy access route to your website
servers. Ensure that:
• Logins expire after a short period of inactivity.
• Passwords are changed frequently.
• Passwords are strong and NEVER written down.
• All devices plugged into the network are scanned for malware each time they are attached.

Ever since I founded my hosting company, we've had to watch our network security on a minute-
by-minute basis not to be hacked.

5. Install a web application firewall.

A web application firewall (WAF) can be software or hardware based. It sets between your website
server and the data connection and reads every bit of data passing through it.
Most of the modern WAFs are cloud based and provided as a plug-and-play service, for a modest
monthly subscription fee. Basically, the cloud service is deployed in front of your server, where it
serves as a gateway for all incoming traffic. Once installed, web application firewall provides
complete peace of mind, by blocking all hacking attempts and also filtering out other types of
unwanted traffic, like spammers and malicious bots. This is a great way to avoid getting hacked like
Craigslist.

6. Install security applications.

While not as effective as a full blown WAF, there are some free and paid for security applications
that you can install that will make life a bit more difficult for hackers. In fact, even some free
plugins such as that from Acunetix WP Security can provide an additional level of protection by
hiding the identity of your website’s CMS. By doing so this tool makes you more resilient against
automated hacking tools that scout the web, looking for WordPress sites with specific build and
version, which has one or more known vulnerabilities.

7. Hide admin pages.

You do not want your admin pages to be indexed by search engines, so you should use the
robots_txt file to discourage search engines from listing them. If they are not indexed then they are
harder for hackers to find. This tutorial from SEObook.com is all the help you will need.

8. Limit file uploads.

File uploads are a major concern. No matter how thoroughly the system checks them out, bugs can
still get through and allow a hacker unlimited access to your site’s data. The best solution is to
prevent direct access to any uploaded files. Store them outside the root directory and use a script to
access them when necessary. Your web host will probably help you to set this up.
9. Use SSL.
Use an encrypted SSL protocol to transfer users’ personal information between the website and your
database. This will prevent the information being read in transit and accesses without the proper
authority.

10. Remove form auto-fill.

When you leave auto-fill enabled for forms on your website, you leave it vulnerable to attack from
any user’s computer or phone that has been stolen. You should never expose your website to attacks
that utilize the laziness of a legitimate user.

11. Back-up frequently.

Just in case the worst happens anyway, keep everything backed-up. Back up on-site, back up off-
site, back up everything multiple times a day. Every time a user saves a file it should automatically
back up in multiple locations. Backing up once a day means that you lose that day’s data when your
hard drive fails. Remember every hard drive will fail.

12. You can't hide your code.

You can buy software that says it will hide the code on your webpages. It doesn’t work. Browsers
need access to your code in order to render your website pages, so there are simple ways to get
around web-page “encryption.”
Disabling “right-click” as a way to view your website code is annoying to users because it also
disables every other “right-click” function, and there are simple workarounds that every hacker
knows anyway. If you have been told that it is possible then read this article on HTMLgoodies.com
to get in-depth explanations of why you can never hide your code.

*Prevention of hacking

01. Keep software up to date

It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site
secure. This applies to both the server operating system and any software you may be running on
your website such as a CMS or forum. When website security holes are found in software, hackers
are quick to attempt to abuse them.

02. SQL injection

SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access
to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly
insert rogue code into your query that could be used to change tables, get information and delete
data. You can easily prevent this by always using parameterised queries, most web languages have
this feature and it is easy to implement.

03. XSS
Cross-site scripting (XSS) attacks inject malicious JavaScript into your pages, which then runs in
the browsers of your users, and can change page content, or steal information to send back to the
attacker. For example, if you show comments on a page without validation, then an attacker might
submit comments containing script tags and JavaScript, which could run in every other user's
browser and steal their login cookie, allowing the attack to take control of the account of every user
who viewed the comment. You need to ensure that users cannot inject active JavaScript content into
your pages.

04. Error messages

Be careful with how much information you give away in your error messages. Provide only
minimal errors to your users, to ensure they don't leak secrets present on your server (e.g. API keys
or database passwords). Don't provide full exception details either, as these can make complex
attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only
the information they need.

05. Server side validation/form validation

Validation should always be done both on the browser and server side. The browser can catch
simple failures like mandatory fields that are empty and when you enter text into a numbers only
field. These can however be bypassed, and you should make sure you check for these validation and
deeper validation server side as failing to do so could lead to malicious code or scripting code being
inserted into the database or could cause undesirable results in your website.

06. Passwords
Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is
crucial to use strong passwords to your server and website admin area, but equally also important to
insist on good password practices for your users to protect the security of their accounts.

07. File uploads

Allowing users to upload files to your website can be a big website security risk, even if it’s simply
to change their avatar. The risk is that any file uploaded however innocent it may look, could
contain a script that when executed on your server completely opens up your website.

08. HTTPS
HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees to users that
they're talking to the server they expect, and that nobody else can intercept or change the content
they're seeing in transit.
09. Website security tools
Once you think you have done all you can then it's time to test your website security. The most
effective way of doing this is via the use of some website security tools, often referred to as
penetration testing or pen testing for short.