Stopping Website Hacks in Their Tracks

Need to beef up your website security? Try these tips for hacker prevention.

When it comes to website security, a little paranoia is a good thing. At the risk of stating the obvious, hackers are a devious and tenacious bunch, always seeking new vulnerabilities in networks, software and systems to cause trouble, steal data, and generally annoy you.

What hackers are after varies widely. Some want to cause service disruptions, often for political reasons. Others are trying to access sensitive data, such as Social Security numbers, credit card numbers, and personal health data, which they can sell to other criminals at a handsome profit. Others are simply thrill-seekers who relish the challenge of overcoming well-designed and implemented security measures. Seen in that way, website security is a bit like an alarm system: It will deter most criminals or encourage them to find a weaker target, but the truly determined and resourceful hackers will find a way in.

Regardless of the motivation, a hacking attack can be seriously disruptive to your business, especially if your business is e-commerce, so security is not an option. If you haven’t done so recently (or at all), now would be a good time to check your agreement with your web hosting provider to see what their security responsibilities are vs. which security tasks are left to you.

Here are some common types of hacking attacks against websites, and some things you, your web developer and your web hosting provider can do to prevent them.

Cross-Site Scripting

In the cross-site scripting attack, the hacker attempts to pass malicious JavaScript or other code as a parameter in the HTTP request, in the hopes that your web server will run it. Simple precautions, such as limiting the allowed parameter length and stripping out anything that looks like an HTML tag, will go a long way towards preventing these attacks.

SQL Injections

SQL injections are attacks where hackers attempt to pass valid, malicious SQL code to the database server by user-entry fields or other parameters. If you aren’t using a database server, then this attack isn’t much of a threat to you, but if you are, then you should be particularly careful. This is especially true if the database contains any kind of sensitive data.

Use regular expressions or other means to validate user input and limit user input to only what’s needed to run the query. For example, a ZIP Code field should be five, and only five, numeric characters (or perhaps nine with a hyphen in the sixth position). A regular expression can easily distinguish a valid ZIP Code from an ALTER TABLE statement.

Local and Remote File Inclusion

In a file inclusion attack, an attacker crafts an HTTP request to fool the web server into revealing sensitive files (such as password files or other security-related system files) or executing malicious code, either locally or on another web server. By configuring the web server to recognize and reject these types of requests, this attack can be prevented.

Exploiting Weak and Default Passwords

If your website has user accounts—especially if any are administrative or “super-user” accounts with elevated privileges—some hacker is going to try to exploit the tendency of users to use weak passwords, and of administrators to forget to change well-known default administrative passwords. It’s fairly simple to force users to create strong passwords, and it’s usually trivial to change a default system password. A better approach is to disable the default administrative account altogether, and instead create a separate administrative account with the same privileges, a different user name and a strong password.

Distributed Denial-of-Service

In a typical distributed denial-of-service (DDoS) attack, hackers use various underhanded means to install “bot” software on a vast network of computers. At a predetermined time, or at a signal from a “bot commander,” the bots all send multiple HTTP requests to the target web server. (There are many other types of DDoS attacks that exploit different network protocols, but they all boil down to overwhelming the target server with requests.)

The server typically can’t keep up with the demand, slowing to a crawl or crashing altogether. For e-commerce sites, the damage can be devastating, both in terms of lost sales and customers who permanently go elsewhere. Preventing DDoS attacks is typically the responsibility of the web hosting provider, which can configure the firewalls, routers, network switches and servers appropriately.

A good web developer has security as the top priority at every stage of development. If you’re concerned about your site’s security (and you should be!), you should ask your developer about existing security strategies. If you don’t like the answer, find a new developer who can explain what’s being done to prevent these (and other) types of attacks. After all, just because you’re paranoid doesn’t mean they’re not after you.