Web security is the rage these days because of multiple hacking incidents that make the news.
But what’s frustrating is that despite so many articles on the subject, corporates and small websites alike make easily avoidable mistakes when it comes to handling things the right way.
A few steps in the right direction is all that’s needed to keep your site secure.
Let’s have a look.
Don’t use random codes from strangers
Random codes from publicly posted repositories on sites like GitHub, Sourceforge and Bitbucket may carry malicious codes.
Here’s how to save yourself with a little bit of smart thinking. You can deploy the code in maintenance mode and see how it works before making it live.
That way you prevent hundreds of hours of head-butting.
Taking no precautions might result in the malicious code taking over your site and cause you to forgo the administrative privileges of your site and lose your hard work.
Never copy paste codes from random strangers on the internet. Do some research on the person and then proceed to audit the code you get.
You might feel that you’ll be able to save some time copy-pasting some code but getting it wrong just once is enough for a boatload of troubles.
For an ex: Vulnerable WordPress plugins malicious codes that can take control of your site or harm the site in less critical ways like inserting follow links to third party sites and siphoning of link juice.
Such links often appear only when Googlebot visits the site, and for all regular visitors, the link remains invisible.
Charles Floate and Wordfence teamed up to cite many recent examples of WordPress plugin vulnerabilities.
The way this scam works is some malicious SEO send outreach emails to WordPress plugin owners whose plugins haven’t been updated in a while.
They offer to purchase the plugin and then run an update to that plugin.
Most people never bother to check what’s been updated in the plugin. There’s so many of them that they run an update as soon as it appears.
But in this case, the plugin would create a backdoored access to the SEO website or client sites. All sites using the plugin now inadvertently become part of a PBN network.
Some of these plugins have over 50000 active installs. In fact, one of the plugins listed is used on my site, and I didn’t know about the backdoor until now.
These plugins also gave them administrative access to the affected sites.
They could very well take over a competitor site with this method and no-index it, effectively making it disappear in the SERPs.
Encrypt Sensitive Information
When you’re dealing with sensitive data, it should never be taken for granted.
It’s always the wiser option to encrypt sensitive data. Personal information surrounding customers and user passwords fall into this category.
A strong algorithm should be used to this end.
For example, AES 256 is one of the best ones. The U.S. government itself is of the opinion that AES could be used to encrypt and protect classified information and the cipher behind the hood has been publicly approved by the NSA.
AES comprises the following ciphers: AES-128, AES-192, and AES-256. Each cipher encrypts and decrypts data in 128-bit blocks and provides enhanced security.
If you are running a member-based site, eCommerce, accepting payment then you must secure your site with a TLS certificate.
User data should always be protected.
Accepting user data over unsecured connections always gives a hacker the chance to siphon off precious data.
The problem with storing credit card information is that you become a target.
Sonic Drive-In publicly announced that a breach into the company servers resulted in millions of stolen credit and debit cards.
Other restaurants, drive-ins like Chipotle and Arby’s also experienced similar hacks.
At times you’ll need to accept credit card information and save it for recurring billing. That requires that you’re a PCI complaint.
Being PCI compliant is hard-work.
Not only do you need someone PCI savvy, but you also need to update the site and database to remain compliant frequently.
Compliance is not a one-time requirement, and the PCI changes them regularly to address emerging threats.
Instead, you may skip the hard part and choose a payment processor like Stripe that does the heavy lifting for you.
They’re big, they have a support that works round the clock, and they’re a PCI complaint.
And if you are running an online store then you may consider using Shopify.
If in case you do store credit card information, take particular care that the files that store the credit card information and the hardware where they’re stored should both remain encrypted.
Patch it Immediately
Here’s an example to make my point.
A zero-day exploit that worked by compromising Apache struts was brought light by March 7, 2017.
By March 8, Apache released patches to overcome the problem. But it takes a long time between publishing a patch and companies to take action.
Equifax was one of the companies that got hacked.
Equifax said in a statement that on Sep. 7 2017, hackers stole personal information on 143 million customers.
The hackers exploited the very same application vulnerability we discussed above to get inside the system.
The vulnerability was in Apache Struts, a framework for building Java-based web applications.
The hackers exploited that fact when Struts sends data to the server they could compromise that data. Using file uploads, hackers triggered bugs that allowed them to send malicious codes or commands.
According to the company, “customer names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers” as well as “credit card numbers for approximately 209,000 consumers.” In addition to that, 182,000 credit-dispute documents, which contain personal information, were also stolen.
As you can see, being aware of the changes in technology and being up to date with your software patches and a little bit of hindsight is often always more than enough to tide over most troubles.