5 Basic Ways To Protect Your Website From Hackers

Share on Google+

Hacking is everybody's problem. International consulting firm PwC estimates cybercrime costs the global economy $445bn a year. Sadly, the problem has only been getting worse and this was the judgement of 93% of the attendees to the Black Hat Conference in the USA in 2014. It's actually an inevitable problem. Our lives are becoming increasingly more dependent on the Internet. But it's also the result of a blatant disregard people put to online security when we put their applications online.

In this article, we will list 5 basic things you can do with a website made using PHP from being hacked. This list is intended to be a basic starting point. There are of course many other things to consider and in no way do I suggest a website can be 100% safe.

1. Use Real Escaping to Prevent MySQL Injection Attacks

A MySQL injection is where a hacker uses a web form on your website or the URL bar to insert malicious MySQL code that comprises your database. Before inserting any data into your database, you should escape it first using the PHP function mysql_real_escape_string(). For example, let's say you have just retrieved a customer's name from a web form that asks them to sign up. The data is as follows $_POST['name']. We need to escape this before putting it into the database. We can do this as follows mysqli_real_escape_string($dbc, trim($_POST['name'])). $dbc is your database connection and trim() is used to remove any leading and trailing whitespace.

Alternatively you can use PDO instead of plan MySQL. PDO will automatically escape any input for you saving you the time.

2. Apply Form Validation As A General Rule

Form validation is the practice of ensuring that the data your web visitors give you through web forms is correct. For example, if you have asked for age, you would expect an integer value and not a string. Some of the basic things you would do is check if a required field is empty, check if it has the correct number of characters and check that it is the correct form (integer, string, etc). For example, let's say you have received a person's name from a web form as $_POST['name']. You can check that the POST request is not empty as follows if (!empty($_POST['name'])).

3. Prevent XSS Attacks With Data Sanitisation and Output Escaping

XSS attacks or cross site scripting attacks occur when someone manages to slip malicious code which is inserted into your website. For example, if someone enters their name on a web form, they might slip Javascript code as follows alert("hacked"). What this will do is when you try to reveal the person's name in your application it will send up an alert box instead of the person's name!

To prevent an XSS attack, the first thing to do is form validation which was discussed earlier. The second thing to do, is to apply data sanitisation which involves stripping an HTML tags from data. This can be done with the PHP function strip_tags(). However, you might want to display those HTML tags for example, if it were a blogging application. To do so, use output escaping which can be applied with the PHP function htmlspecialchars().

4. Prevent Remote File Inclusion By Whitelisting Included Files

Remote File Inclusion is where files you never intended make their way into your application. A basic way to prevent this is by whitelisting the files you will allow into your application. For example, you put the files you allow into an array as follows:

'file1.php',
'file2.php',
'file3.php',
'file4.php',
'file5.php',
);

After this, you would run a check before including a file:

if(in_array($_GET['page'] . '.php', $whitelist) && file_exists($_GET['page'] . '.php')) {
include($_GET['page'] . '.php');
}
>

5. Prevent Brute Force Attacks By Locking Out Users Who Get Their Passwords Wrong Too Many Times

Brute force attacks are a common way of getting access to people's online accounts. It basically involves exhaustingly guessing a person's password to access their online account. This has been made easier with software applications that will do it on behalf of the hacker.

To prevent brute force attacks, one strategy is to lock out users who get a password wrong too many times. For example, if a user gets a password wrong 3 times in a row, you can log their IP address and lock them out for a period of time, say an hour.

Here is a basic example, although I have not included IP address checking to keep things simple:

$bad_login_limit = 3;
$lockout_time = 600;
$first_failed_login, failed_login_count; // retrieve from DB
if(
($failed_login_count >= $bad_login_limit)
&& (time() - $first_failed_login < $lockout_time) ) {
echo "You are currently locked out.";
exit; // or return, or whatever.
} else if( /* login is invalid */ ) {
if( time() - $first_failed_login > $lockout_time ) {
// first unsuccessful login since $lockout_time on the last one expired
$first_failed_login = time(); // commit to DB
$failed_login_count = 1; // commit to db
} else {
$failed_login_count++; // commit to db.
}
exit; // or return, or whatever.
} else {
// user is not currently locked out, and the login is valid.
// do stuff
}

Captchas can also be useful in this regard, reCaptcha is a common captcha application however it can break at times. In another article, we will talk about how to create a simple and effective captcha of your own.