Web Security

There are many variables to a websites security. Every layer in the software stack is a potential threat. The simplest and an effective way to prevent security risks is to keep all software up to date. Whether that is WordPress, or the web server, or underlying operating system, or anything inbetween. Most vulnerabilities are known and keeping your system frequently up to date will prevent most of the security risks. But of course this will only go so far and will not solve all the problems. Especially if the web application you are running is custom software.

Website Architecture

Architecture is important, and security should be a part of the design. Keeping users private information safe is the most important part of security. A web application should only store information critical to its function and nothing more. The information must be store securely in a database. For instance, something common that almost every web application will need to store is passwords. Passwords should not be stored in plain text. Its unfortunate how many websites still do. http://plaintextoffenders.com/ is a good repository of offending websites. Though it is possible that the passwords are encrypted. Either way this isn’t the best way to store passwords. Ideally passwords should be stored with a hashing function with a salt. That way it is not reversible and even if the server is compromised in anyway the passwords are still theoretically safe. Although I would probably change my password if that were to ever happen. Also do not use hashing functions that are easily bruteforced such as md5 or SHA-1. Instead consider something like bcrypt. A word of warning as things may change depending on the time you read this.

Penetration Testing

Consider doing some penetration testing on your own site. Any user input is a potential target, this includes the address bar and url parameters. The most common vulnerabilities are Cross site scripting (XSS) or SQL Injection attacks. Both can be prevented by properly sanitizing user input. Escaping characters that should not be included, or html encoding text input. Also ensure users have correct permissions throughout the site and forging a request won’t give them information they should not have access to. Speaking of information they should not have access to… Do not be needlessly specific on error messages. For instance do not say whether a user does not exist when attempting to login or that the password is wrong. That will give the attacker useful information. I’m not an advocate for security through obscurity but do not give them a gift. Instead the error message should be something more generic. Ideally have a limited number of times the user can attempt to login to prevent brute forcing. Something I find that is sometime overlooked is file permissions. If a user has the ability to upload anything to the website, that being an image for their avatar or some other document. These are potential threats that can be executed on the web server. Regardless of the mime type or extension. File uploads should only be allowed if it is essential. Consider renaming the file without the extension to prevent it running on the server. Also make sure the files have limited permissions, such are read only. Some attacks may be more difficult to prevent such as Distributed Denial of Service attacks.

Content Management System Security

Widely used software has its benefits but it also has its drawbacks. They tend to have large targets on their backs because of their wide use. Think of Microsoft Windows or WordPress as an example. WordPress in particular can be painful at times. The WordPress core may be secure but because of its modular nature the security also depends on having well written plugins. Ideally WordPress sites should have as little plugins a possible. I have seen many instances where backdoors are placed in templates with inconspicuous names that will execute php code. They tend to be in locations where an update won’t affect them such as a template.

If dealing with very sensitive information such as credit cards for business transactions you will need to use SSL/TLS. Complete one to one encryption is important for such interactions. Insure your certificate is purchased at a reputable certificate authority. Many times you will be able to purchase one with your domain.

Web application security can be complex with many variables. Nothing is foolproof and everyone should be aware of that fact. In terms of security it helps to be paranoid. In this ever changing world keeping up with new standards is imperative. We provide a service to make this world simpler.