On the list of the most popular attack scenarios, infected websites are right behind emails and before malicious downloads. The perfidy of so-called drive-by infections is that it can also affect legitimate websites that have been infiltrated by a hacker attack with malicious code. Another thing is that the infection can occur as soon as the page is called up without further interaction.
Reliable protection against drive-by infections is provided by software solutions for secure web gateways – the open eye and common sense often do not stand a chance when familiar or trusted websites suddenly start to attack.
But how can you prevent your website from being misused for malicious purposes? We have collected ten tips for improved website security:
- Updates, Updates, Updates
One of the most important rules in safe use of the Internet is to install updates immediately! New software versions often serve the security of their users by patching vulnerabilities or adding additional security layers. Install the updates (also of plug-ins) before criminals take advantage of possible gaps in outdated versions.
- Information and Awareness
Keep yourself informed about security gaps and current outbreak. Slowly, IT and IT security are moving further and further into the area of general education. Media coverage will follow, in Austria, for example, derstandard.at or futurezone.at provide information and in Germany, heise.de or security-insider.de are among the media that report. The IKARUS Blog also offers interesting information about IT and OT security.
- Secure Login Details
Secure passwords are necessary. That means at least eight characters, better more. Random sequences of letters, numbers and special characters that do not result in any (known) words and do not contain any personal information such as birth dates are well suited. Also avoid predictable or preconfigured user names like “admin”. Be sure to use individual login data for each service!
- Hide the Login Page
To make brute force attacks more difficult, you can hide the login area of your website or secure it with access data. With the large content management systems, the login pages are usually located under a known link – change and protect it. This makes it more difficult for potential attackers to hack into your system.
- Secure Web Server
If possible, take security aspects into account already during hosting. High-quality Internet service providers such as A1 install server-side spam and virus filters, firewalls, and DoS protection. In addition to updates, please ensure that the rights are assigned as restrictively as possible, deactivate unused modules and secure sensitive directories so that they cannot be searched.
- Secure Data Transmission
Use HTTPS to secure data transmission to and from your website. In this way you prevent unauthorized individuals from accessing login data or other information. In addition, a lack of security can lead to your website being ranked lower in search results or being visited less frequently due to browser warnings.
- Secure Forms and Uploads
Contact forms and uploads, for example to upload application documents, are typical website weaknesses. Unsecured, they allow attackers to upload malicious files and spam your servers. Secure captchas slow down bots. Targeted solutions such as IKARUS scan.server allow you to scan uploads for malware before infected files can reach your servers.
Those who work with databases should consider the danger of SQL injections. Besides modern frameworks and up-to-date software, “manual” methods such as prepared statements help. They specify which queries or values are allowed. WAFs (Web Application Firewalls) also protect against attacks on web applications.
- Create Backups
Make regular backups of your data, system files and databases, and check them for functionality on a regular basis. Most hosters provide appropriate tools for data backup, and many CMS offer plugins for database backup. An up-to-date backup prevents data loss and is the fastest way to restore your website to the state it was in before the infection.
- Check for Hacker Tracks
Check your website regularly for security gaps. Run malware scanners over the files on your servers and check the MD5 checksums of software before installing it on the server. To protect your users from phishing attacks, it can also make sense to purchase similarly written URLs that could easily be confused.
- Use Antivirus Software
Your website can also be compromised via an infected computer, for example by tapping login data. You should therefore secure all devices used with security software. IKARUS anti.virus scores with excellent detection rates and is extremely resource-saving.