Connect with us
website security the modern day war html pro website security the modern day war html pro

Website Development

Website Security: The Modern Day War




As Little Finger said in Game of Thrones: “Information is Power”. He might have been defeated and executed. However, in today’s day and age his quote still holds true, information definitely IS power! Especially financial information as stealing does not require physical entry any more. All this wealth of information is amassed on the interwebs and most of it is due to websites and web applications as our virtual life has outgrown our actual life.

This staggering convenience has also brought about an era that has made fraud and theft easier than it was ever before requiring extensive measures of security especially where websites are concerned. Here are 7 solid tips that will help to keep your website secure and sleep a little better at night!   


Prepare For the Battle

iron man



Updates are Your Best Friend!

updateWhether you have a website built from scratch or developed by one of the most popular technologies, constant updates are your best friends. Especially platforms like WordPress, Joomla etc. are known to release constant updates that improve functionality and website security.

Websites utilizing these customizable frameworks and technologies are at a higher risk because most of the softwares are open source, allowing easy manipulation of your source code. It is exactly like printing your secret recipe on a national newspaper for the world to see. Thus, additional vigilance is required when laying out the security strategy of your website. Setup a system to receive notifications made by these platforms; WordPress allows a special extension “WP Updates Notifier” when an update is released by WordPress.

You need to update as soon as it is released, yes it is that important because hackers do not slack off and thinking they’ll hack your website the next day. Their bots are constantly scanning websites looking to identify weaknesses that can prove to be a possible entry point. Any outdated source code, extension or integrated application is a gateway into your website making all the sensitive information available to possible threats. Make it a habit of checking not only your website but  all attached or integrated things as well, such as plug ins, third party applications etc.; while getting rid of the outdated ones.

Ensure that the web host you’re utilizing has a solid security policy and provides customer support otherwise the best option for business owners is hiring professional agencies that maintain and secure your website regularly as it is not a one time job.




This is a tale as old as time but still highly relevant and very very important! Your passwords are the first line of defense against malicious software and hackers. Everyone is aware of the basics of selecting a strong password but what we fail to realize is that we are not being as sneaky as we think! Hackers have developed genius softwares that are programmed to guess all the possible combinations of a string of characters testing it as your password until they get it right. Scary Right!? When they have the ability to guess an absolutely random string of number and letters than how hard is it going to be, to guess your birthday that may be publicly displayed on Facebook. However let’s take a look at the basics and some added tips to make the process easier and more secure for you.

The basics of a strong password are:

✓ Random string of numbers and letters

✓ CLI (Complex, Long, Unique)

✓ At least 12 characters long

✓ Combination of uppercase and lowercase

✓ Do not use the same or similar passwords for multiple platforms

✓ Change password after every few weeks

Now, the question arises that how are you supposed to remember a random string of characters for every account that you own; which is humanly impossible. The good news is that you don’t have to! You don’t even have to come up with a password because humans are creatures of habit and no matter how much you try, it is impossible to be completely random. The best solution for a situation like this is the user of password generator that stores them as well (in encrypted form of course) making it quite an easy task to follow the protocols regarding password security. However there are still few things which are dependent on the user that all the digitization and technology in the world cannot fix. That is if you share your passwords with a good number of people and they fail to keep it secure than the human error is catastrophic so, make sure to limit the access of people to your website.  


Be a Miser with File Uploads

file uploads

Allowing users to upload documents is like handing out invitation to virus infested files because extreme caution is required in their filtration and handling. However, there is still no authentic way to check if a file is safe to execute or not, so in this case prevention is better than cure. The best case scenario: do not allow any file uploads at all however, file uploads may be a crucial part of your website functionality making it inevitable. In cases like these deploy the most strict website security measures possible and treat every file with great suspicion. Simply checking the extension or the file size is not an effective way to ascertain the viability of a file. The initial steps in addition to checking file extension and sizes should be the prevention of execution of any user uploaded file.  Adjust the file permissions in such a way that no uploaded file is allowed to execute and make changes to the java script or the HTML of the website. In cases where permissions for a certain user need to be extended, make the change for a very brief period of time and then revert it back to the default scenario.

Another precaution is storing the files outside of the root directory, which does not allow the files direct access to the source code and main data of your website. Fetching these files will require you to set up an additional script but many service providers already have this set up, hence this is not a very painstaking task. An additional, very obvious security measure is naming your root directories in a way that they are hard to locate. Naming it “root” or “admin” or “main” is no worse than setting the password to ‘12345’. It is very obvious and extremely easy to search so make certain that your directories are named something innocuous which will just be an added line of defense to your website security.


HTTPS is The New Norm


HTTPS stands for Hypertext Transfer protocol, we all might be familiar with the term, however there are many misconceptions about how it works and what it is. It is commonly believed that converting to HTTPS or getting an SSL certificate (yes, it is the same thing) will solve all your security problems in a jiffy! However this couldn’t be farther from the truth; all it does is add a layer of encryption to your transport layer. In simpler words it protects your data when being transferred from point A to point B. This may sound like not a big deal but having an SSL certificate provides other benefits that are not very evident. For example Google has started boosting the sites that have an SSL certificate making it a great SEO tool. In addition users are more likely to trust sites that have converted to HTTPS especially when providing them with personal or financial information. HTTPS certificate prevents MITM (man in the middle) attacks securing your data during transport and adding an additional layer of security.


Backups are Life Savers!


Have a plan B for each and everything in life, especially something as important as a website. Backing up the website will save time in the long run as well as provide a cushion for something catastrophic. In case an attack occurs, instead of fixing the current version; simply restore the latest backup the website saving a lot of time and energy. However for things to work this way the backups need to be secure and updated at all times. So, having a backup of a backup is not a bad idea i.e. a local and an offsite backup will only help in the long run.


When The War Comes To You

game of thrones


SQL Injection Attacks

sql injections

SQL Injection attacks are a very common method used to gain access or compromise the data of your website. It is especially dangerous as SQL injection directly interferes with the database manipulating data or permanently erasing it. How can someone gain access to the database of your website?  To understand that you’ll have to know a very basic function of how data is fetched between the database and the browser. Whenever data is entered through a form two kinds of functions come into play. POST function sends the data to the web server in the HTTP header file while the GET function sends the data through the page URL. Both of these can be manipulated to change the SQL that is being executed after the data is sent. Especially if proper parameters are not set and open ended queries are being executed. For e.g.
“SELECT * FROM table WHERE column = ‘” + parameter + “‘;”
Here, “parameter” can be changed to enter any kind of value completely manipulating the end result of the execution. So, explicit parameterization of queries is a good programming practice as well as a good security parameter to prevent any unpleasant experiences.


XSS (cross-site scripting) Attacks

cyber attacks

The development in web technologies has made development faster and more convenient than it ever was, however this progress brought along an array of security risks that have to be vigilantly dealt with. Mixed client and server rendering in the current frameworks have made attacking easier. Hackers can inject JS code which executes in the users browser causing changes in server side as they render together. The solution to XSS attacks is quite similar to prevention of SQL attacks by parameterizing  the JS that executes at the client end. Enter strict parameters for user entered data and make sure the type of entered values is consistent to what you are looking for. XSS defender’s toolbox offers a header that limits the execution of javascript in the browser. Content Security Policy (CSP) header is returned by the server communicating with the browser limiting JS execution thus preventing the execution of any unwanted queries.

Another sweet spot that compromises website security are the CMS applications that are integrated and allowed on the website. Instead of programming your website to support all the available plugins take a look at the number of installs and latest updates of the CMS app. This information proves the authenticity, popularity and also shows that the author is still working on the plug in taking care of any possible threats. If the updates have not been made for about more than a year this should be a cause of concern as the author might have abandoned it and outdated CMS apps are like a n unlocked trap door that leads right inside your home. Another preventive measure should be changing the default setting of any integrated CMS apps upon installation because most attacks rely on the default settings of the application to predict and break in their way to your website. Simply changing the setting will be an unpleasant surprise for any possible attackers.


DDoS (Distributed Denial of Service) Attacks  

distributed denial of service attacks

This kind of attack is usually carried out on E-commerce websites on special occasions where the shutdown of website for even a few seconds can be catastrophic for the business. Heavy traffic websites are further overloaded by bots and dummy users to occupy the band width of the website that redirects real users and causes the website to shut down. DDoS attacks have a very simple solution that is present in the form of DDS mitigation services that perform a simple check on the user without interrupting the user and differentiates real users from bots. Deployment of this simple service can literally save you million dollar losses in your business.

Website security is an ongoing battle that never stops. However, these simple tips and information can get you prepared and make things a lot easier. Most of these are simply good safety practices that will help keep you and your website a little more safe in this digital age.




Copyright © 2018 HTMLPro®