This is one of the most common issues found on websites. Many sites are either not encrypting their traffic or have their certificate incorrectly configured. Secure Sockets Layer (SSL) certificates allow the encryption of personal information and credit card numbers; it's crucial that you use an SSL certificate and that you install it correctly to protect your customers and any sensitive data that they might enter on your site. In fact, it's required that you have an SSL certificate if you run an e-commerce site that accepts major credit cards.
If your file transfer protocol (FTP) access settings aren't secure, your data could fall into the wrong hands. FTP sites are used to share files and data between clients and servers on a computer network. Depending on your industry, there might be compliance standards and regulations that you need to meet when sharing information with an FTP.
The common security regulations for the U.S. include:
While each industry deals with its own set of regulations, they all share a common purpose to protect information.
We suggest that you use a more secure file share service, like FTPS or SFTP. You can do this by applying an SSL Certificate to your FTP.
Instead of storing files and credentials on the DMZ or a private network, use a DMZ gateway (enhanced reverse proxy).
Passwords should be longer than the minimum length requirement, include numbers, letters, and special characters (if allowed), and should not reference anything in your personal life.
Make sure that the only the necessary people have access to the files and folders they need.
Finding an open port to expose a vulnerability is the first step in a website hacker's toolkit. If a server port doesn't need to be open, it's best practice to close them—like a door. Other than ports 80 (HTTP) and 443 (HTTPS), no other ports typically need to be open to your site. Running routine vulnerability scans ensures that no ports are being accidentally opened to your website through the CMS, plugins, or at the server level.
An up to date content management system (CMS) is one of the essential maintenance updates for your website. Your website receives the benefit of new functionalities and fixes for technical issues. Simply put, an updated CMS leads to a more secure website.
Here's an example of an outdated CMS:
You can see that their CMS is outdated by a couple of versions, some plugins need to updated, and other items need updating. The easy way to prevent an outdated CMS is to regularly update it.
Cross-site scripting (XSS) attacks take place when malicious scripts are injected into trusted websites. Once the script has been executed, it can access cookies, tokens, or other sensitive information. It can also rewrite content of the HTML page and send malicious scripts to a user's browser that wouldn't be able to detect the malicious scripts. It's problematic enough to have affected Facebook, Google, and Paypal users.
Structured query language (SQL) is the is the language used to communicate with a server and manage data. Similarly to XXS, SQL injections take place when an attacker injects a malicious input into SQL queries. This can allow attackers to access or extract data they should not have access to.
To prevent SQL Injections, you should:
PHP versions are supported for two years after their release date. During that time, bugs and security issues are fixed and released. Ensuring that your website is running on the latest version of PHP will allow your website to run without issues.
Clickjacking occurs when you don't have a preventative code or plugin on your site. The ckicljacker modifies links on your website that take your customers to a different location than they intended. For this reason, clickjacking is also called a UI redress attack.
There are two common ways to prevent Clickjacking:
Attackers can use this hacking method to trick your customers into entering secure information by leading them to believe they're on your site.
User enumeration occurs when an attacker runs a script against your site to reveal a list of your website's usernames. If any of your users have weak passwords, this could put you at risk.