Best practices and tips to protect your website from hackers

How To Protect Website From Hackers

The journey of your website starts once it is live. You need to follow the best practices to protect your website from hackers. Every day we get news on data breaches and hackers. It is very important to understand that websites are compromised all the time. It has been seen that majority of the security breaches are not intended to steal your website data, but to use your server as an email relay for spam or to set up a temporary web server to illegal things.

Let’s take a look at some of the security tips with the help of which you can keep yourself and your website safe while online.

In general, hackers use automated scripts to scour the internet to exploit known website security issues in software. You need a solution to protect your website from hackers.

Keep your software up to date

We ensure to keep all the software up to date as it is a vital thing to do to keep your site secure. Keeping software up to date applies for both the server operating system and the CMS that you are using such as WordPress, Joomla, Drupal, etc. Hackers are quick to abuse when security holes are found. You need to protect your website from this issue.

SQL Injection

Hackers do SQL Injection to gain access or to manipulate your database with a web form field or URL parameter. Hackers find it easy to insert rogue code into your query that is used to change tables, and obtain information and delete important data using standard Transact SQL. If you have access to CPanel, you can go to the root folder to access .htaccess. Add the following code, it will help you to protect your website:

<IfModule mod_rewrite.c>
# Enable rewrite engine
RewriteEngine On

# Block suspicious request methods
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]

# Block WP timthumb hack
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]

# Block suspicious user agents and requests
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

# PHP-CGI Vulnerability
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC,OR]

#proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]

</IfModule>


Protect against XSS attacks

Hackers also do Cross-site scripting (XSS) attacks to inject malicious JavaScript into your pages. This form of hacking is an attempt to run malicious code for visitors to your site. To overcome this issue, add the below code on your .htaccess file.

# Extra Security Headers
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options SAMEORIGIN
	Header set X-Content-Type-Options nosniff
</IfModule>

Protect against XSS attacks

Hackers also do Cross-site scripting (XSS) attacks to inject malicious JavaScript into your pages. This form of hacking is an attempt to run malicious code for visitors to your site. To overcome this issue, add the below code on your .htaccess file.

# Extra Security Headers
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options SAMEORIGIN
	Header set X-Content-Type-Options nosniff
</IfModule>

Error Messages

You need to be very careful about how much information you reveal from error messages. Make sure message should always be kept generic and never provide details. Usually, attackers apply a brute force attack to get a username or password and the error message indicated which part of the query is incorrect and it makes it easier for them to determine which part is incorrect. Later, they try to gain access with other attempts.

Server-Side Validation or Form Validation

Make sure server validation or form validation should be done on both the browser and the server-side. It is easy for a browser to catch simple failures such as empty mandatory fields. It should be ensured that these validations are checked on the server-side too. Any single failure can result in malicious or scripted code being inserted into the database.

Username

Your admin username may be a gate for hackers to reach your server as they may easily extract the username by adding scripts into loopholes. The best practice to avoid this issue is by using unique usernames.

Password

Using a strong password is a crucial decision concerning your server and website admin areas. It is also a good practice to choose a strong password in order to maintain the security of your website. To make a strong password, make sure to use a minimum of eight characters, and include at least one numerical digit as well as one uppercase letter.

File Uploads

Your website will be at great risk if you allow users the ability to upload files of any sort to your website. A potentially harmful script that opens your website up when executed will pave a way for hackers to steal away all the credentials from you. The best practice to avoid this issue is by restricting users from executing any file they upload.

SSL

It is highly recommended to use a security certificate SSL whenever passing personal information between the website and web server or database. SSL blocks attackers from getting vital information about your website.

Final Conclusion

The above tips and tricks are beneficial in assisting you in keeping your site and information properly protected. Also, it is important to have knowledge of common security issues and how to overcome them.

Leave a Comment