This post covers all the web security basics. This includes how to secure your website, plug holes, and avoid common website security threats.
Your primary goal in addressing web security should be covering your basic risks. You don't necessarily have to be at the cutting edge, the real goal here is not to be the "low hanging fruit". Here are a few tips that would help cover you no matter how your website or server is constructed.
How To Secure Your Website in a Few Easy Steps
-
Tip #1 - Shut Off Directory Indexing.
Index files are useful because of the information they provide and that's exactly why they're dangerous. Unless you are running a web site that's dedicated to serving out files for download, shutting off directory indexing is a good idea. You don't want someone hitting a folder without a properly configured default index file, because when they do they're able to see a full list of files in that folder. This means a visitors foot is in the door. Put simply - Directory Indexing allow outsiders to view and exploit files you did not want publicly accessible. Use
Options -Indexes
in your htaccess and this beautifully simple code instructs your server to avoid indexing. -
Tip #2 - Secure Select Folders
This tip applies especially to folks using CMS's, but anyone can secure a website folder easily. There are several approaches I've come cross, but I believe a well placed IP restriction is usually the best method in this scenario. If you're using WordPress it'd be your wp-admin folder and for Joomla or Drupal it'd be administrator. What these folders have in common though, is that nobody else needs to see whats inside. Simply find which folder you want to secure, then add a file named
.htaccess
, and add the following code...order deny, allow deny from all allow from XXX.XXX.XXX.XXX
All you need to do is fill in your IP where all the "X's" are and you're ready to roll. What this code does is say - "Kick out everybody... except that one guy - he's alright". Don't know your IP? We like to visit Arul John to pick up this info really quickly (http://aruljohn.com/). All things considered, this is a very powerful htaccess trick if you use it wisely. Basically you're forcing a hacker to spoof your IP or someone would need to be in your physical location to force access into that web folder. Keep in mind that this method "is location based". If you'd like multiple locations to have access, you will need to add additional "Allow XXX.XXX.XXX.XXX" lines.
-
Tip #3 - Use SSL if Necessary.
If secure account access or payment process is needed, you should be using SSL encryption. Setting up SSL is not ultra-tricky, but make sure you're developer knows what they're doing. A little experience dealing with E-Commerce sites tells me that this isn't something to rush through. If you secure your website properly once, you won't need to do it again. Know what needs to be secured, how the doorway will be addressed, and over engineer when in doubt. Put plainly - Measure twice and cut once. Also - Make sure you don't allow your SSL certificate to expire. It harms your brand more then you'll know. Nothing is less reassuring then expecting to see a "lock" and seeing a "red error warning" instead.
-
Tip #4 - If possible - Keep your Directory Root isolated.
Sub folders can be dangerous and you'd hate to lose your primary site because of some sandbox you built to play in. If able, isolate your document root to a folder or drive with nothing of value. Don't forget - some times web development isn't about what your provide, sometimes it's about what you don't.
-
Tip #5 - Shut off non-essential listen ports on your web site.
Shut down telnet, ftp, finger, and any ports you are running that aren't absolutely essential. Do a
netstat -an | grep -i "listen"
on unix, ornetstat -an | find "LISTEN"
on windows to find what ports your web server is listening on and shut them down.
Once The Web Security Basics Are Covered, Why Not Get Advanced?
It's important to keep in mind that every project has unique needs and your security should reflect that. If you're still uncomfortable with htaccess, there are usually plugins (on WordPress for example) that can cover your needs. That said, when dealing with an Apache server you should become familiar with Regex, htaccess, then hop into server level config files. While these are tricky skills to pick up, their value is truly immeasurable. Once you dig in you'll quickly come to the realization that these are the engines behind your website, so boosting power really needs to come from there.
Those are a few site security tips to keep in mind. If you have any other "must do" tips to secure your website, please leave them below. Be sure to take a quick look at the "htaccess" links below and familiarize yourself. Getting a solid grip on this one file can make your web developing life MUCH easier!