Cyber security is increasingly becoming an integral concern for any business and individual–big and small. Data breaches and hacking activities happen to many companies and people every single day, and nowadays hackers aren’t only targeting big enterprises and organizations.
In fact, more and more cybercriminals are shifting their targets into smaller companies and individuals due to their less secure infrastructure. So, if you have any online presence at all, and especially if you own or run a website, there’s a chance you are also being targeted at the very moment.
So, how can we defend our digital assets and avoid getting hacked? Below we will share some important tips to minimize web security risks you can use right away.
1. Secure Your Website Admin Account
This might vary depending on what CMS/website builder you are using to build your website, but if your site’s admin page has a default username/password, the first thing you have to do is to change it.
Make sure you are using a strong and unique password you haven’t used anywhere else. Your password should be at least 10 characters long and use a combination of uppercase, lowercase, numbers, and symbols, and to further strengthen it you can also implement 2-factor authentication (2FA) if the platform allows.
2FA essentially asks for a second factor before you can access your account, which can be:
- Something you are: your face ID, retinal/iris scan, fingerprint, etc.
- Something you know: additional PIN, second password, etc.
- Something you have: USB key/dongle, a device to pair with, etc.
Make sure only you (and other authenticated people) can access the website’s admin page.
2. Secure Your Website From Malicious Bots
A lot of cyber attack vectors like brute force attacks, credential stuffing attacks, DDoS, and other types of attacks are made possible with the use of malicious bots.
So, by detecting and managing these bots, we can significantly minimize web security risks caused by bot-related attacks.
However, today’s malicious bots are now more sophisticated than ever. Bot programmers have adopted AI and machine learning technologies so these bots are now getting smarter in impersonating legitimate human users, and at the same time, they are also using various technologies to make themselves harder to detect.
Not to mention, there are good bots that can be beneficial for our website. We wouldn’t want, for example, to accidentally block Googlebot from indexing our site, which will prevent our website from being ranked by Google–a major source of organic traffic.
So, what can we do about it? A proper bot management solution is required to tackle these issues and we’d recommend DataDome to protect your website from getting hacked.
3. Keep Everything Up To Date
Make sure all your OS, software, CMS (i.e WordPress), themes/templates, plugins/extensions, and any other elements of your website are up-to-date.
Security updates are there for a reason, and in many cases, the manufacturer/service provider patching the security vulnerabilities on your website. So, ideally, you should update everything as soon as any updates are available, especially when the update contains any security fixes.
Check whether your software/CMS allows automatic updates, and there are managed hosting solutions that will take care of these updates for you if you are using WordPress.
You wouldn’t want to compromise your website and your whole system just because you neglected to update a plugin.
4. Use HTTPS
Using HTTPS instead of HTTP essentially guarantees that the connection between your website and the user (site visitor) is properly secured so nobody else can intercept or modify the content in transit, which is known as a man-in-the-middle (MITM) attack.
Even if your website doesn’t involve transactions of user-sensitive information (i.e. credit card in an eCommerce website), it is still advisable to use HTTPS, especially because today it is very easy and affordable (even free) to use HTTPS certificates.
Another important advantage to consider is that Google prioritizes websites with HTTPS on ranking websites on their SERP, so you’ll get a nice SEO benefit with this simple approach.
5. Don’t Allow File Uploads
As a general rule of thumb, you should avoid allowing users to upload anything to your website unless it’s absolutely necessary.
Allowing users to upload files to your website means you are exposing the whole site to potential security risks. Yes, even if it’s as simple as allowing users to upload images to change their user avatars.
Even if allowing file uploads is absolutely required, you should treat any file with suspicion. At the very least, you should limit the allowed file format (i.e. .jpg and .png only), and even this is in most cases, not enough.
An option is to rename the file on any upload to ensure the correct file extension or to change the file permissions.
6. Pay Extra Attention When Giving Error Messages
Smart and persistent attackers can use the information you give away in your messages to modify their attacks. For example, if your error message contains reasons why a bot is blocked, then the hacker can simply modify the bot to bypass your rule/policy, and so it will be much harder to detect and block this bot in the future.
Keep detailed errors only in your logs, and show visitors/users only what they need.
7. Input Validation
Input validation is very important to prevent especially SQL injections and is performed to ensure that only valid data is entering your system. For example, if your input is not validated, attackers can use form fields to enter executable scripts that will affect your site negatively.
You can check this guide by OWASP on how to properly implement input validation on your website to prevent XSS (cross-site scripting), SQL injection, and other attacks that might compromise your website security.
While there are certainly many other methods and techniques you can use to minimize web security risk and avoid getting hacked, the seven tips above are among the most effective, and you can use them as the foundation to create your comprehensive web security strategy.