The issue of website security has been a top priority for web designers and developers for a long time. In the course of the internet’s colorful history, a lot of methods and tools have been developed to ensure that websites will be hack-proof, or at least be ready for some serious hacks.

Either you may be designing an online store, a niche blog, or maybe even just a corporate website, security should always be put in mind.

Your Web Designer Toolbox

Unlimited Downloads: 500,000+ Web Templates, Icon Sets, Themes & Design Assets
Starting at only $16.50/month!


Now, as a web designer/developer, you are tasked to not only create beautiful web pages but also to keep them protected from parties that would want to penetrate and take advantage of it. You need to enforce security measures to prevent the dreaded situation of being hacked.

There are a lot of ways of hacking a website. By this, many measures should be implemented to prevent these unfortunate situations. However, there is no single fool-proof way to prevent and eradicate hackers. The best thing you can do is to make the attempted invasion really difficult, to a point where the hacker just gives up.

Common Hacking Methods

As I’ve said, there are various methods in penetrating a website’s security. Hackers employ these methods to destroy or manipulate the website they are about to hack. We are introducing these to you so that you can apply your security measures to prevent and fight such shenanigans.

SQL Injection

You cannot deny that SQL Injection is listed as one of the most dangerous attacks against websites and systems. It mainly involves the input of SQL codes into forms like login fields or even in the browser address field. Doing so will give the hacker access to the database of the website or system.

Once you enter your username and password in the login forms, the data that you are keying will be inserted into an SQL command. The said command will check the data that you just entered and compare it against the relevant table in the database.

Once the two values match, you will be granted access. Otherwise, you’ll not be able to log in.

SQL Injection attacks happen when a hacker tries to paste SQL commands into your website fields. In some normal cases, the website will just check the data being entered by the user and validate it.

In the event that the data contains a simple single quote (‘) at the end of a username, your database might see this one as a constructed SQL. Because of this, it will be validated as a query.

The hackers may not enter your website using this query, but the method will let them have access to your database name, tables and key fields. From these data, the hacker can now use the information he has to submit SQL commands into the other fields of your website. From then, they can see the contents on your database.

How do I defend my site against SQL Injection?

  • Ensure correct data types
  • Parametrized queries
  • Permissions
  • IIS global filtering
  • Leave validate request on
  • Consider using an ORM

Cross Site Scripting (XSS)

Commonly known as XSS, Cross Site Scripting is one of the more difficult hacks to deal with. In the past years, Microsoft, MySpace and Google have had a difficult time dealing with such cases.

XSS deals with the use of malicious JavaScript routines that are attached within hyperlinks to take control over sessions, hijack ads in apps and steal personal information.

You will surely remember this: You accidentally clicked a weird looking pop up and it leads to a website that seems like a messenger app. Then a cute girl with a seemingly questionable English chats you up and says, “You wanna see my p*ssy? Click here.”

With the what-the-hell-she’s-hot-anyway mentality, you click the link and an address with a sketchy URL appears:

[%63%61%74%69%6f%6e%3d%274%74%70%3a%2f%2f%77%7…]

At some point, you may think nothing has happened. But boy, you have never been so wrong. These links can help steal session cookies (sounds like you’re being bullied) that can possibly lead to hijacking your personal information.

How do I prevent Cross Site Scripting?

  • Never insert untrusted data except in allowed locations.
  • HTML escape before inserting untrusted data into HTML element content.
  • Attribute escape before inserting untrusted data into HTML common attributes.
  • JavaScript escape before inserting untrusted data into JavaScript data values.

Authorization Bypass

Simple as it may present itself, authorization bypass is very scary! Often used against poorly designed apps or CMS, this hack can wreck a total havoc in your website.

It works in this simple process:

  1. Look for a weak and poorly secured log-in page.
  2. View the source code.
  3. Copy the code into notepad.
  4. Delete the authorization JavaScript and change a link or two.
  5. Save.
  6. Delete the authorization JavaScript, amend a link or two.
  7. Open the file into the browser, login and press enter.
  8. Voila. Access!

How to determine if my website is vulnerable?

  • Are your server’s processes run on root, Administrator, LOCAL SYSTEM or other privileged accounts?
  • Does your web app access the database via SA or other accounts?
  • Does your application have the ability to access the database via accounts with more privileges than required?
  • Do your application server virtual machines run with AllPermission or FullTrust in J2EE and .NET environments?
  • Can you limit access to web resources using platform capabilities?

If yes, to even just one, then, you might be vulnerable.

How can I protect my website?

  • Your website’s development, test and staging environments should be set up using the lowest possible privilege.
  • Make sure that the accounts that run the environment have privileges capping up to the greatest degree possible. Your servers should never run Administrator, root, sa, sysman or supervisor processes.
  • Limit your user accounts to enough privileges corresponding to their tasks.
  • Business user accounts should not be given admin status and vice versa. You need to use different accounts for different tasks.

Common Safety Measures to Prevent Hacks

Always Keep Your Plugins and Software Up-to-Date

Nothing can make a hacker’s ears clap than an outdated plugin or blogging program. They commonly fall as easy targets for outdated programs commonly have glitches, bugs or security loopholes. That is the main reason why they are updated in the first place.

Let’s put it this way, you are using a model of a door lock that has been lockpicked a thousand times. Would you expect the next lockpicker to have a difficult time in cracking your security?

So, heed this advice, update now.

Use Strong Passwords

How many times does this have to be stressed out? Using strong passwords is very important. You may not have an idea about this but hackers are continually trying to crack or steal your passwords..

So, how do we craft an effective password?

Salt Method:
Salt Method is a great way to keep your password secure. According to the principle, you should replace letters or numbers into special characters according to your own rule. We put this as an example.

  • Replace all the ‘a’ with @
  • Replace all the ‘s’ with $
  •  Repalce any space with %
  • Replace any ‘o’ with 0
  •  Replace any ‘i’ with !

So with this, we may make our sample password which is originally ‘whoisjohngalt’ as ‘wh0!$j0hngalt’.

Business Insider’s Method:
Business Insider recently released a method to create secure passwords that can be very easy to remember. According to the magazine, you should make a longer password because it will give computers longer time to guess it.

The basic principle of this method is that you create a really long passwords using words that may not be significant to you or to each other.

Use Google’s Webmaster Tools

Google has now a way in helping your website to be more secured. Using Webmaster Tools, you will be notified for the presence of malicious infections.

In case that you fail to remove them and you become hacked, Google will help you by blacklisting your website. This provides you time to get rid of malware faster. The service also includes the details of the problem Google is detecting.

Don’t Display the WordPress Version Number

Aside from updating your blog platform, you should always prevent hackers from knowing what version of WordPress you are running on.

Doing this will prevent them from exploiting security loopholes on your site. You can remove the WordPress version number by editing the functions.php of your site and add the following code:

function 1stwebdesigner_remove_version() {
return '';
}
add_filter('the_generator', '1stwebdesigner_remove_version');

Turn register_globals to register_globals=off

Many WordPress users have been vulnerable because they took this for granted. Despite being recommended by WordPress.org to leave register_globals on, you should turn it off because this setting has been the commonly hacked element in a WordPress site.

Tighten your htaccess File’s Security.

Normally, your default .htaccess security is more open that it should be. However, you can tweak it to save you from URL hacks, SQL injections and other more hacks.

There are a lot of ways to tweak your .htaccess, but we’ll name the most useful ones (remember to back up):

  • Order allow,
  • Deny deny from all

Add the following and you will be able to sleep tight at night, knowing that bots and unwanted access will not be allowed from your wp-admin.php file. You can also include this method to other files like install.php and eror_log.

Here are a few more codes to put in your .htaccess file.

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]RewriteRule ^(.*)$ - [F,L]RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]RewriteCond %{QUERY_STRING} tag\= [NC,OR]RewriteCond %{QUERY_STRING} ftp\: [NC,OR]RewriteCond %{QUERY_STRING} http\: [NC,OR]RewriteCond %{QUERY_STRING} https\: [NC,OR]RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||ê|"|;|\?|\*|=$).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$

RewriteRule ^(.*)$ - [F,L]

Conclusion

Being hacked sure is a headache. You basically see your efforts crumbling down like a tower made of pastry. But an ounce of prevention will always be better than a pound of cure. So, while you’re still okay, fix everything you need to fix before it all goes gaga.

This post may contain affiliate links. See our disclosure about affiliate links here.