Are you making these web security mistakes?

By master | October 31, 2020
web security mistakes

As a business owner in the corporate sector or the MSME sector, you should ensure web security of your website or it may be hacked causing you business loss as well as the maligned reputation. But a lot of us are just happy with having a website, which would pass as “functional” at best and “ineffective” at worst.

Are you making one or more of the following mistakes? if so, it is time to take corrective measures.

Mistake #1: Not regularly updating the various software used by your site.

Is your website built with CMS software like Joomla, WordPress, Drupal, etc? You should know that older versions are quite prone to hacking attacks. Make it a point to update them regularly for better web security.

Some software come with auto-update features and you can be better off by activating this option. If there is no such feature, you will have to update the software manually. WordPress has several auto-update features and our WordPress SEO, speed, and security service takes care of settings things right.

Mistake #2: Using simple, easy-to-guess passwords.

If you have been using simple and straightforward passwords for your accounts, change them as soon as possible. Your passwords need to be long (say 8-20 characters) and should contain capital and small letters, digits, and special characters.

How can you make the passwords more complex and unguessable? It is a good idea to borrow words from Hindi, Punjabi, or other languages, which cannot be commonly found in an English dictionary. Mix them up with at least a couple of special characters.

Mistake #3: Not reviewing the list of active users periodically.

If you have a password-based system like a custom software built for your company users, you should constantly monitor or review the list of users with access to the admin system. Sometimes, accounts are left active even after a user has quit. That makes the admin system open to abuse. Deactivate the dormant accounts as soon as possible to tighten your web security.

Setting a policy for frequent change of passwords is a good practice but don’t make it too frequent or you risk irritating the users.

Mistake #4: Not validating data on the forms on both sides.

Say you are collecting B2B leads from a quote request form on the site. You should validate the data on the client-side (browser) as well as the server-side (form processing script)? If not, your site can be hacked and people can send spam through your site. They can also use it to attack other sites getting your site banned.

Many developers validate or sanitize the data on the client-side but it is also important to repeat the checks in the server-side before you process the submitted data. A hacker would try to disable or bypass the validation checks at the client-side, so doing it again at the server-side is very important.

You also need to check the form data for scripts, executable codes, MYSQL injections, and other junk before these are processed and saved to the database. If not, you are inviting trouble because a hacker would try to slip in these codes to infiltrate your database.

Stop echoing the submitted data on the thank you page before sanitizing it first.

Mistake #5: Not checking the uploaded files for extensions and mime-types.

At times, you need to have a provision in your website to allow uploading of files like a CV in a job application form. Have you considered checking the uploaded files for extensions and mime-types before accepting them?

If not, I must warn you that it can be a source of much trouble. Rename the uploaded file by giving it a suitable name. This will minimize the chances of pernicious attacks like phishing or data theft.

Mistake #6: Revealing too much information about the server and software versions.

You can configure your server software and CMS software to reveal the minimum information about the versions and server paths. If the hacker gets to see the version of the software you are using, s/he will be able to plan an attack based on the vulnerabilities of this version.

Have you turned these settings off or have you been revealing too much information? You should configure your server operating system to return generic error messages to the users in case the software throws an error.

Our web maintenance service covers making the correct settings for these.

Mistake #7: Not backing up your site with version control.

When did you last back up your website? This may be seemingly insignificant but is a very important exercise. Always maintain records of the current versions or any changes or updates that you may make to it.

In case, your website suffers a hacking attack, the version backups will come in handy. This will also save you if some ransomware hits your site and encodes the file making them useless. Rather than pay a ransom and encourage the criminals, you can simply restore the files from a recent backup. Github and Gitlab are good resources for this.

If some files have been corrupted, you may replace these files by restoring the files from your backup. The same approach may also be useful in case of DB poisoning wherein, junk data is intentionally mixed with your useful data to render them meaningless.

Mistake #8: Not securing CMS sites with suitable plug-ins.

Your website could be exposed to brute force attacks wherein the hackers use scripts to try 1000s of generic passwords to gain access. For WordPress sites, security plug-ins like Wordfence, Sucuri, etc are available which add a powerful security layer.

Mistake #9: Not using a secured account to make updates.

Are you using root access on your server to do trivial work on your websites? Then you may be compromising the security of your website in a big way.

Stop using the root level account and create a limited access account to do all the regular work. You may still need to use root access for high-level system work, but only when it is an absolute necessity.

Mistake #10: Making system level changes and updates on your website or server using public wi-fi.

Never use public wi-fi in hotels, airports or a coffee shop by a boulevard for doing system-level work on your website or server. I think you already know the security threats this practice can pose to your website.

Why compromise the security of your site by taking undue risks? If you have to use public wi-fi in case of an emergency, change the password of your website at the earliest presented opportunity.

Mistake #11: Leaving old, unused files on the server.

Are you leaving old, unused files on your server? You may have updated the website with a new design and the old files are lying in an ‘old-site’ folder.

Remove them all immediately after backing up to a secure location or a local drive. Since these files may have security issues that your development team will not fix, it is harmful to have these lying around.

Mistake #12: Still not using https?

Are you still not using the SSL security certificate to make the site available only through HTTPS protocol?

It is a good strategy to use the https mode as it not only improves the search engine ranking but also bolsters the security slightly by encrypting the communication between the user and the server.

Ask your website hosting agency today itself to add a security certificate in the server. You also need to set up an auto-redirect from HTTP to https. While this is important, it won’t make your site completely fortified.

Mistake #13: Not using a hash key.

Is your website dynamic or is your server based on a parameter like p=something? Try to edit the URL in the location bar and see what happens when you send a different value for this parameter.

If another page or product data can be viewed just by changing the parameter, add a hash key to the URL. This would reinforce security considerably.

At the end

If you are making any of the above mistakes, it’s time for you to take a step back, plan, and resolve. Make these changes and earn additional peace of mind.

If these tips sound too technical and you need help for checking and implementing these on your website, we at Ebizindia would be more than happy to help. To begin with, you can ask us to audit your site. We would audit your site based on more than a hundred parameters and give you a feedback report containing solid, actionable ideas.

These tips, once implemented, will improve your search engine ranking, improve the traffic to your site, and also improve the profitability of your digital marketing spend. All the best!

We maintain Sitecore, WordPress, Magento, and core PHP based sites and take care of all these security aspects.