Security checklist for websites

No matter whether you host your website yourself (on your own server) or on a paid hosting server, You need to make sure it is hacker-safe and doesn’t compromize on security threats.

• Perform Data validation on the server-side:

Many Web forms include some JavaScript data validation. If this validation includes anything meant to provide improved security, that validation means almost nothing. A malicious security cracker can craft a form of his own that accesses the resource at the other end of the Web page’s form action that doesn’t include any validation at all. Worse yet, many cases of JavaScript form validation can be circumvented simply by deactivating JavaScript in the browser or using a Web browser that doesn’t support JavaScript at all.

• Manage your Web site via encrypted connections:

Using unencrypted connections (or even connections using only weak encryption), such as unencrypted FTP or HTTP for Web site or Web server management, opens you up to man-in-the-middle attacks and login/password sniffing. Always use encrypted protocols such as SSH to access secure resources, using verifiably secure tools such as OpenSSH. For this and many other useful tips, check out StopBadware.org’s Tips for Cleaning and Securing Your Website.

• Use strong, cross-platform compatible encryption:

Believe it or not, Secure Socket Layer (SSL) is not the top-of-the-line technology for Web site encryption any longer. Look into TLS, which stands for Transport Layer Security — the successor to Secure Socket Layer encryption.

• Use Backup & redundancy to protect the Web site:

Backups and server failover can help maintain maximum uptime. While failover systems can reduce outages due to server crashes and server shutdowns, that isn’t the only value to redundancy. The duplicate servers used in failover plans also maintain an up-to-date duplication of server configuration so you don’t have to rebuild your server from scratch in case of disaster. Backups ensure that client data isn’t lost. Of course, failover and backup solutions must be secured as well, and they should be tested regularly to ensure that if and when they are needed, they won’t let you down.

• Check your server configuration.

Apache has some security configuration tips on their site and Microsoft has some tech center resources for IIS on theirs. Some of these tips include information on directory permissions, server side includes, authentication and encryption.

• Stay up-to-date with the latest software updates and patches.

A common pitfall for many webmasters is to install a forum/plugin, widget or blog on their website and then forget about it. It’s important to make sure you have all the latest updates for any software program you have installed.

• Regularly keep an eye on your log files.

Making this a habit has many great benefits, one of which is added security. You might be surprised with what you find.

• Check your site for common vulnerabilities.

Avoid having directories with open permissions. This is almost like leaving the front door to your home wide open, with a door mat that reads “Come on in and help yourself!” Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities. Finally, choose good passwords. The Gmail support center has some good guidelines to follow, which can be helpful for choosing passwords in general.

• Be wary of third-party content providers.

If you’re considering installing an application provided by a third party, such as a gadget, widget, counter, ad network, or webstat service, be sure to exercise due diligence. While there are lots of great third-party content on the web, it’s also possible for providers to use these applications to push exploits, such as dangerous scripts, towards your visitors. Make sure the application is created by a reputable source. Do they have a legitimate website with support and contact information? Have other webmasters used the service?

• Try a Google site: search to see what’s indexed for your website.

It’s always a good idea to do a sanity check and make sure things look normal. If you’re not already familiar with the site: search operator, it’s a way for you to restrict your search to a specific site.

• Use Google’s Webmaster Tools.

They’re free, and include all kinds of good stuff like a site status wizard and tools for managing how Googlebot crawls your site. Another nice feature is that if Google believes your site has been hacked to host malware, this webmaster console will show more detailed information, such as a sample of harmful URLs. Once you think the malware is removed, you then can request a reevaluation through Webmaster Tools.

• Read the Google Online Security Blog.

They have some great content about online security and safety with pointers to lots of useful resources. It’s a good one to add to your RSS Reader feeds.

• Contact your hosting company for support.

Most hosting companies have helpful and responsive support groups. If you think something may be wrong, or you simply want to make sure you’re in the know, visit their website or give ‘em a call and make sure your website is safe and secure.

In Addition to these, if you are hosting your own website.

Disable Unnecessary Services

The more ports your server has open to the Internet, the greater the risk of security holes. While you need certain services (such as HTTP and email) there are probably others you can easily do without:

• Telnet is one of the biggest security risks. If you use telnet for administration, it is very easy for your password to be stolen. Disable Telnet and use SSH (secure shell) instead.
• If you are not using FTP, disable this service. If you must use it, don’t ever FTP using your root or administrator password. FTP sends passwords across the network in plain text and is vulnerable to snooping.
• Disable all other services you aren’t using.

Install a Firewall

A firewall is a software (or sometimes, hardware) package that can control which ports on your server are open to the Internet, and sometimes detect intrusion attempts. A firewall is important for any Web server.

Configure Backups

One thing you should realize right now: you will have a serious problem at some point, and you will lose data. It might not be a hacker attack—perhaps just an administrator typing the wrong command or a host pulling the wrong plug—but for your sites and your customers, the effect is the same.

This is where backups come in. You should maintain a backup copy of all critical files on a separate machine. For web content, the local copy you upload from may be sufficient. For everything else, you can use FTP to download critical files regularly. Here are a few more items you should be certain to back up:

• The contents of databases. Database systems such as MySQL have backup utilities you can use to dump data to a downloadable file.
• Any dynamic files created by your sites, including traffic logs.
• Configuration files for your web server, email server, and other software. Any time you change a configuration file to get something working, download a new copy.
• If you have customers that use the server, back up their files regularly if at all possible. This will protect you and them from user error as well as more serious problems.

Monitor Your Server

Once you have a working, secure server, your job is never finished—you should continually monitor it for potential problems. Here are some monitoring tips:

• A number of services will ping your server regularly and alert you when it does not respond. Your host may offer such a service, or you can use an independent service

Visit Blogs/Sites about security

• ghacks
• zdnet security news
• zdnet security blog
• websense security blog
• ha.ckers
• acunetix

Conclusion

You may have guessed from reading this making a website save can be difficult—and it often is. Unless you have an administrator or a good managed host working for you, expect to spend at least a couple of hours a week securing and monitoring your website. If you don’t, you may end up spending days or weeks dealing when your website security is compromised.

No matter whether you host your website yourself (on your own server) or on a paid hosting server, You need to make sure it is hacker-safe and doesn’t compromize on security threats.