It's hard to know all of the prevention methods to be aware of when it comes to your website's security. Unfortunately, there are a multitude of threats on the internet that can attack your site in a variety of ways. Be prepared by regularly scanning your website for vulnerabilities so the issues can be caught, addressed, and remedied.
These are common security flaws that make your website susceptible to hacking.
1. Missing or Incorrectly Installed SSL Certificate
This is one of the most common issues found on websites. Many sites are either not encrypting their traffic or have their certificate incorrectly configured. Secure Sockets Layer (SSL) certificates allow the encryption of personal information and credit card numbers; it's crucial that you use an SSL certificate and that you install it correctly to protect your customers and any sensitive data that they might enter on your site. In fact, it's required that you have an SSL certificate if you run an e-commerce site that accepts major credit cards.
2. Unsecured FTP Access Settings
If your file transfer protocol (FTP) access settings aren't secure, your data could fall into the wrong hands. FTP sites are used to share files and data between clients and servers on a computer network. Depending on your industry, there might be compliance standards and regulations that you need to meet when sharing information with an FTP.
The common security regulations for the U.S. include:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Federal Information Security Management Act (FISMA)
- Payment Card Industry Data Security Standard (PCI DSS)
- State privacy laws
While each industry deals with its own set of regulations, they all share a common purpose to protect information.
How To Secure Your FTP Site
Apply an SSL Certificate
We suggest that you use a more secure file share service, like FTPS or SFTP. You can do this by applying an SSL Certificate to your FTP.
Gate your FTP site
Instead of storing files and credentials on the DMZ or a private network, use a DMZ gateway (enhanced reverse proxy).
Strengthen your FTPS server
- Avoid using Explicit FTPS. If you do, you should force encryption for authentication and data channels
- Use Elliptic curve Diffie-Hellman key exchange algorithms
- Avoid using any version of SSL or TLS 1.0
Create strong passwords
Passwords should be longer than the minimum length requirement, include numbers, letters, and special characters (if allowed), and should not reference anything in your personal life.
Follow file and folder security
Make sure that the only the necessary people have access to the files and folders they need.
3. Ports are Left Open that Should be Closed
Finding an open port to expose a vulnerability is the first step in a website hacker's toolkit. If a server port doesn't need to be open, it's best practice to close them—like a door. Other than ports 80 (HTTP) and 443 (HTTPS), no other ports typically need to be open to your site. Running routine vulnerability scans ensures that no ports are being accidentally opened to your website through the CMS, plugins, or at the server level.
4. Outdated CMS
An up to date content management system (CMS) is one of the essential maintenance updates for your website. Your website receives the benefit of new functionalities and fixes for technical issues. Simply put, an updated CMS leads to a more secure website.
Here's an example of an outdated CMS:
You can see that their CMS is outdated by a couple of versions, some plugins need to updated, and other items need updating. The easy way to prevent an outdated CMS is to regularly update it.
5. Vulnerable Scripts - XSS
Cross-site scripting (XSS) attacks take place when malicious scripts are injected into trusted websites. Once the script has been executed, it can access cookies, tokens, or other sensitive information. It can also rewrite content of the HTML page and send malicious scripts to a user's browser that wouldn't be able to detect the malicious scripts. It's problematic enough to have affected Facebook, Google, and Paypal users.
6. Vulnerable SQL - SQL Injections
Structured query language (SQL) is the is the language used to communicate with a server and manage data. Similarly to XXS, SQL injections take place when an attacker injects a malicious input into SQL queries. This can allow attackers to access or extract data they should not have access to.
How To Prevent SQL Injections
To prevent SQL Injections, you should:
- implement input/data validation
- use parametrized queries/prepared statements
- never let the application code directly use the input
- sanitize all input—not just the login forms
- remove potentially malicious code
- hide database error messages
7. Outdated PHP Version
PHP versions are supported for two years after their release date. During that time, bugs and security issues are fixed and released. Ensuring that your website is running on the latest version of PHP will allow your website to run without issues.
8. Vulnerable Code - Clickjacking
Clickjacking occurs when you don't have a preventative code or plugin on your site. The ckicljacker modifies links on your website that take your customers to a different location than they intended. For this reason, clickjacking is also called a UI redress attack.
How To Prevent Clickjacking
There are two common ways to prevent Clickjacking:
- Send the appropriate Content Security Policy (CSP) frame-ancestors directive response headers. This tells the browser to not allow framing from other domains.
- Add code in the UI. This ensures that the current frame is the most top level window.
9. WordPress User Enumeration
Attackers can use this hacking method to trick your customers into entering secure information by leading them to believe they're on your site.
User enumeration occurs when an attacker runs a script against your site to reveal a list of your website's usernames. If any of your users have weak passwords, this could put you at risk.
At Onsharp, we scan our customers' websites every 90 days as part of our Website Essentials Package, and we rescan until the websites receive a passing score. We do this to address any new vulnerabilities that are found. We also offer a free one-time vulnerability scan to help those who aren't yet leveraging our Website Essentials Package to find out how vulnerable their website might be.