Protect Your Website Against Hacking
The internet is filled with more and more marketers, many of whom are creating their own websites to market products. While having your own website will help you attract potential customers, it will also attract hackers who can wreak havoc on your site if you are not well protected.
Here are some things you can do to help protect your websites.
The most common type of hacking is the cross site scripting, also called as XSS. Many site owners normally use web forms for subscription to gather user email. Such inputs should be validated against expected input types and length.
Any input to the web forms should always be HTML encrypted to avoid any unwanted script elements. The best way to validate inputs to the site would be to validate against what should be allowed rather than what should not be allowed.
The best way to protect your site from this attack is to ensure you validate all the inputs to your site. Any form of inputs, like page headers, cookies, query string, hidden fields used on forms, and forms fields used to gather some sort of input from the users should be validated.
The second most common hacking technique is the Google hacking. This refers to the techniques used to gain access to unauthorized information through advanced search queries. Google hacking involves searching sites using special characters, logical operators and operators such as cache, file type, link, site, intitle and inurl.
Many web masters put critical data on their servers to enable access from anywhere. Though such documents are kept isolated, it is easy to get access to such pages. Unless specified in the robots.txt file, all the documents on a particular site are indexed by the search engine spiders.
Such documents are then available to the public via search engine queries. Some of the advanced queries like ext: doc or filetype: doc will search all the word doc files available on the servers. Similarly site: xyz.com private will search for all instances of private on the site xyz.com.
To protect yourself from such attacks you should take necessary precautions like avoiding any storage of critical or sensitive data on the server. If it is absolutely necessary, use robots.txt file to avoid indexing of such documents or folders and password protect them.
E.g. User-agent: *
Disallow: /documents
These instructions will not allow the contents of folder “documents” to be indexed by any search engine spider. Similarly the meta tag “meta name=’SPIDERNAME’ content=’NOARCHIVE’ ” can be used on individual HTML pages if you do not want that page to be indexed by any search engine. Here you need to put the correct spider name of the search engine you want to block.
Lastly, you should also check if your web server allows directory listing. Directory listing will allow anyone to see the contents of a directory by typing in the website address and existing folder name. If you type http://domainname.com/somefoldername/, and you see the contents of the directory, you should take steps to prevent that. You can ask your web host to disable it for your site, but you may want some directories to be accessed. You can also just place an empty index file in the directory to prevent the other files from being listed.
If you are a do-it-yourself website owner, save yourself some major headaches and take some basic precautions to avoid hacking attempts. Prevention is key otherwise you run the risk of losing your website and all its information or, even worse, losing your online identity.