Nowadays, Website security has become very important and crucial aspect of building, deploying it to the server for every PHP Development Company. Websites developed in the open-source technologies such as PHP, Content Management Systems like WordPress are less secure and can be easily hacked by the Hackers.

We can protect our websites by following the below checks:

1) Updating the scripts and plugins on a regular basis: Talking about WordPress website, generally, the leading cause of the malicious attacks and hacks is the out-dated plugins that are used in sites. We need to update those with the latest versions available. This reduces the risk from being hacked.

2) Make use of Human verification Code/Captcha: When we allow the user to post any comment or message on the “Contact Us” or any other forms, make use of the Human Verification code those can be arithmetic calculation questions or pictorial selections for the users. The best example is to use Google reCAPTCHA API. Below is the link to its implementation. https://www.google.com/recaptcha/intro/index.html

3) Handling SQL Injections: These are the most widely used tools for hackers. While writing down the SQL in PHP, we can write them in below manner.

  1. a) Using Mysql (Escaping the characters):

<?php

//Start

$unsecureUserInput = $_POST[“somevalue”];   //Get user Input field (Unsecure)

$secureUserInput = mysql_real_escape_string($unsecureUserInput);  //Secure value

mysql_query(“INSERT INTO table (column) VALUES (‘” . $secureUserInput . “‘)”);

//End

?>

  1. b) Using Mysqli (Parameterized query):

<?php

    $mysqli = new mysqli(“server”, “username”, “password”, “database_name”);

    // check if the connection is successful.

    $unsecureUserInput = $_POST[“user-input”];

    $stmt = $mysqli->prepare(“INSERT INTO table (column) VALUES (?)”);

    // “s” => database expects a string value

    $stmt->bind_param(“s”, $unsecureUserInput);

    $stmt->execute();

    $stmt->close();

    $mysqli->close();

?>

4) Assign permissions to Directory and Files: This is one of the easiest ways for hackers to get access to the files and folders in the case when we have used the poor file permissions. The first digit represents permissions for the owner of the file, the second digit represents permissions for anyone assigned to the group that owns the file, and the third digit represents permissions for everyone else.

Below is the number patterns to assign the file and folders permissions:

4 => Read Permission

2 => Write Permission

1 => Execute Permission

0 => No permissions for that user

So, If we assign the files with “777” (or 4+2+1 / 4+2+1 / 4+2+1 ) permissions then they would be readable, writeable, and executable by the user, the group and everyone else in the world.

This “777” permission should never be given.

The better way of assigning the permissions to files and folders should be as below:

Folders and Directories => 755

Individual Files => 644

5) Install security plugins for the websites built on CMS like WordPress: For most of the CMS websites, it is mandatory to use the security plugins OR extensions provided by the respective CMS. Considering the WordPress as a popular CMS nowadays, we can use either of the security plugins given below.

  • Better WP Security
  • Wordfence
  • BulletProof Security
  • All in one WP Security and Firewall
  • 6Scan Security.

6) XSS (Remote scripts): XSS or Cross-site scripting is the process when an attacker tries to pass JavaScript or any other script code containing the malicious stuff in the website forms. This generally happens when our website using the contact forms, enquiry forms, comment sections allowing the facility for the visitors/users to submit comments and messages. We should be careful for validating that data. We can use the “strip_tags()” for validating the user submitted inputs as below. This function removes the other tags and only allow the HTML and PHP.

$userMessage = $_POST[‘message];

$secure userMessage = strip_tags($userMessage);

7) Server side and Form Validations: Validations should be performed on the Server side also as validating only the browser side can only detect the mandatory fields and to pass only number from the text. These browser side validations can be bypassed and can be easily inserted with the malicious code if we not check those in the deeper level. So, we should always perform the server side validations also to handle these browser end validations failure.

8) Make use of Strong Passwords: We should always use the stronger passwords for accessing the user admin areas and where the sensitive information is kept. A strong password is a combination of the alphabets, numbers, special numbers so that it would be hard to judge for the hackers. For saving the passwords into the databases, one should use the hashing algorithms like SHA.

9) SSL: SSL stands for the Secure Socket Layer which uses the strong security layer to transfer the information over the internet. Nowadays, every hosting providers provide the SSL certificates to be installed on the servers. Using SSL certificates for the websites, one can ensure the strong security for the websites.

10) Website Security Tools/ Website malware removal tools: The last but not the least part after website deployment is to use website security tools for your websites. Server providers offers these Security tools to be installed and they scan the websites, applications over the scheduled time basis.

Below are some free security tools.

1) Netsparker: It is widely used for testing the SQL Injections and the XSS.

2) OpenVAS: It is the open source security scanner and used for testing the known vulnerabilities. It is capable of scanning over the 25,000 files.

Website Malware removal tools/Services:

1) Sucuri.net: This is the third party service and paid one. It is capable of scanning unlimited files and folders, removing any type of malware from websites built on any type of platform. It also includes setting up the firewall for the websites based on the plan that one has purchased.

2) Site Lock: Site Locker is also a paid third party service, capable of removing the malware automatically from the source codes, preventing the backdoor attacks, providing the firewalls etc.

Hope these important suggestions will help you or the PHP Development companies keep your/ their websites miles away from the hackers.

POSTED IN: October 12, 2016 Swapnil Kanmahale