Round Tale

One of the biggest priorities when running an online business is website security. Having a secure website will cause your customers to trust your business, thereby boosting sales and increasing your return on investments. The online community is teeming with malicious hackers that are willing to do whatever it takes to penetrate your site’s security and compromise the delicate financial information of your clients. You should have the same fervor when attempting to deter these careless intruders. Most customers will not shop at an online store that is not secure, therefore creating a secure environment is essential in the world of online business. The following 4 tips will help make your website a safer place for your customers to shop.

Strong Administrative Passwords

Protecting your website means protecting the administrative interface. Once a hacker gains access to your site’s administrative interface, they can gain control of your entire online business in a few short steps. Once they’ve access the administrative control panel, hackers can do anything from defacing your website, to committing identity theft or fraud in the name of your business. To prevent hackers from easily gaining access to your website, you’ll want to use strong passwords that are mix of letters and numbers. These alphanumeric password should be at least 10 characters in length. Try to avoid using any commonly used words or names. Also try not to use dates that are significant in your life, as a hacker may be able to access this information.

Firewalls

Firewalls filter information that is transferred to and from your website. By configuring a secure firewall, you’ll be preventing all unauthorized access to your website. Setting an industry standard firewall at the highest possible security preference is one of the best ways you can deter hackers with ease. Remember that simply having a firewall is not enough to keep you site safe. The firewall must be configured properly.

Antivirus

Make sure you use only the best antivirus programs. If your computer contracts a virus, the hacker that distributed this virus could gain access to sensitive information on your computer. Some viruses will install hacking utilities known as KeyLoggers, which record the data inputted from your computer’s keyboard. This means that everything you type is recorded and then sent to the hacker, including your system and website passwords.   It is imperative that you ensure that your antivirus program is regularly updated to the latest definitions. This will help you to protect your computer from hackers who attack your system in efforts of gaining control or information. Simply having an antivirus program installed is not enough. New viruses are created everyday, so it is important to keep your Antivirus program updated regularly.

Security Testing

Once you have all of the above security measures in place, you’ll want to test the security of your website routinely. Try to use a security analyzing tool regularly. These tools will usually find any existing security lapses and assist you in correcting them. Remember that in order to have good website security, these security measures must be practiced regularly.

Convenience aside, allowing anonymous visitors to upload files to your site is pretty much like opening the gates and telling malicious users it is okay to compromise your server.  This puts you, the website owner, in a very tough position when considering that such permissions have become a commonality on today’s internet and has proven to increase business efficiency.

Having the ability to upload files is a regular occurrence on social networking sites such as FaceBook, MySpace and Twitter as well blogs, forums and online banking sites.  This feature is also prevalent in corporate portals as it allows end-users to share files with business employees.  In these environments, users are permitted to upload documents, pictures, music, videos and several other types of files.  The more functionality an end-user is provided with, the greater the probability of creating a vulnerable web application.  It is a known fact that many internet users abuse their privileges to gain access to a specific site or compromise a web server.

During recent tests, security experts have discovered that an alarming number of widely used web applications are not making use of secure upload forms.   According to their findings, many of these vulnerabilities were easily detected and exploited, allowing experts to gain full access to the file system on the web server hosting those applications.   Most of these vulnerabilities were the direct result of improper security configurations, essentially permitting intruders to roll right in.

Viable Solutions

Below is a list of practices you or your system administrator should enforce when file uploads are allowed to your website or web applications:

- Create an .htaccess file that only permits access to files with allowed extensions

- Do not the put the .htaccess file in the same directory where the files uploaded by users will be stored.  This file should be stored in the parent directory that your visitors do not have access to.

- The average .htaccess file that only allows files such as jpg, jpeg, gif and png files should include the following lines:

“deny from all

<Files ~ “^\w+\.(gif|jpe?g|png)$”>

order deny,allow

allow from all

</Files>”

These lines can be adjusted to suit your own personal needs.  Editing the .htaccess file in this manner will not only assure that only these file types are allowed, but also protect you from double extension attacks.

- If at all possible, make sure the files uploaded by users are placed in a directory outside of the server root.

- Do not allow existing files to be overwritten.  This will prevent exploits such as the .hataccess overwrite attack.

- Do not rely solely on client-side validation.  This is simply not enough to ensure an adequate level of security.  It is advisable to implement both client-side and server-side validation.

Conclusion

There are several ways a malicious user can bypass the security configurations applied to a file upload form.  When incorporating such a feature into your web applications, you should make it a priority to follow the best security practices and put them to the test on a regular basis.  While this requires a considerable amount of security expertise, it is worth every bit of time to make sure your website is protected.