Web security isn’t just something that big corporations and the government have to be concerned about. It is a problem that affects everyone from small business owners to web developers to consumers. What is more, web security isn’t always about technology. Sometimes, the best way to be safe online comes down to simple practices like the strength of your password. Here is a look at some of the simplest, yet most effective methods of staying safe online.
You’ve heard it a thousand times, but it bears repeating because so many people don’t follow the rules. Simple passwords aren’t secure and using the same password over and over again is a great way to get into serious trouble. Your password should be a combination of letters and numbers as well as special symbols, depending on what is allowed. Avoiding using whole words and opt instead for partial words or random letters. Use a different password for critical applications than you use for things like Facebook.
Limit or Ban File Uploads
Allowing file uploads, even images, can give a hacker the ability to get a malicious script onto the server hosting your site. If you must allow file uploads, then you need to prevent users from executing files that they upload. Good options for curtailing execution include renaming the file on upload, changing file permissions, or parsing the file for viruses/malicious software.
Any time your send or receive personal information or other sensitive material, you should use a secure socket layer or SSL. Users will look to see if your website uses SSL and may forgo posting there or buying items from your site if it does not implement SSL. In particular, you should always serve a login page over SSL. This requires more server resources, but makes sure that the browser isn’t redirected to a malicious site.
Customize Error Messages
Error messages can communicate information about why your site failed that can be useful to hackers. You want them to get generic responses to errors, not specific details. Messages like “incorrect username or password” are better than specifying one or the other, which would tell the attacker that at least half of their query was correct.
Everything should be validated both before it is transmitted to the server and after it is transmitted to the server. This applies to SQL queries as well. PHP has built-in functions for validation, so use them. You will want to take special care to either strip HTML from submitted content or encode it to avoid problems with cross-site scripting (XSS).
Keep your software up to date and you’ll avoid a lot of headaches. Keeping up to date is especially important when you are using popular software like WordPress, phpBB, Joomla, etc. Hackers will always check the version of software you are running to determine if an old trick will work on your site. They don’t want to do any more work than they have to, after all.
When you think that your website is secure, it’s time to start testing. A number of point-and-click software resources make it easy to test for vulnerabilities like SQL injection problems, cross-site scripting vulnerabilities, and so forth. Common tools include Netsparker, w3af, Back Track (Linux only), Cain and Able, and Retina.
If you want to provide a safe, stable web experience for your users, then you have to pay close attention to security. How prominent your site is will determine whether or not you are able to do most of the security work yourself. The techniques and tips above will get you started, but there is a great deal more knowledge out there, so don’t stop here.