Onsharp Logo

Top Website Security Flaws

It’s hard to know all of the prevention methods to be aware of when it comes to your website’s security. Unfortunately, there are a multitude of threats on the internet that can attack your site in a variety of ways. Be prepared by regularly scanning your website for vulnerabilities so the issues can be caught, addressed, and remedied.

These are common security flaws that make your website susceptible to hacking.

1. Missing or Incorrectly Installed SSL Certificate

This is one of the most common issues found on websites. Many sites are either not encrypting their traffic or have their certificate incorrectly configured. Secure Sockets Layer (SSL) certificates allow the encryption of personal information and credit card numbers; it’s crucial that you use an SSL certificate and that you install it correctly to protect your customers and any sensitive data that they might enter on your site. In fact, it’s required that you have an SSL certificate if you run an e-commerce site that accepts major credit cards.

2. Unsecured FTP Access Settings

If your file transfer protocol (FTP) access settings aren’t secure, your data could fall into the wrong hands. FTP sites are used to share files and data between clients and servers on a computer network. Depending on your industry, there might be compliance standards and regulations that you need to meet when sharing information with an FTP.

The common security regulations for the U.S. include:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Federal Information Security Management Act (FISMA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • State privacy laws

While each industry deals with its own set of regulations, they all share a common purpose to protect information.

How To Secure Your FTP Site

Apply an SSL Certificate

We suggest that you use a more secure file share service, like FTPS or SFTP. You can do this by applying an SSL Certificate to your FTP.

Gate your FTP site

Instead of storing files and credentials on the DMZ or a private network, use a DMZ gateway (enhanced reverse proxy).

Strengthen your FTPS server

  • Avoid using Explicit FTPS. If you do, you should force encryption for authentication and data channels
  • Use Elliptic curve Diffie-Hellman key exchange algorithms
  • Avoid using any version of SSL or TLS 1.0

Create strong passwords

Passwords should be longer than the minimum length requirement, include numbers, letters, and special characters (if allowed), and should not reference anything in your personal life.

Follow file and folder security

Make sure that the only the necessary people have access to the files and folders they need.

3. Ports are Left Open that Should be Closed

Finding an open port to expose a vulnerability is the first step in a website hacker’s toolkit. If a server port doesn’t need to be open, it’s best practice to close them—like a door. Other than ports 80 (HTTP) and 443 (HTTPS), no other ports typically need to be open to your site. Running routine vulnerability scans ensures that no ports are being accidentally opened to your website through the CMS, plugins, or at the server level.

4. Outdated CMS

An up to date content management system (CMS) is one of the essential maintenance updates for your website. Your website receives the benefit of new functionalities and fixes for technical issues. Simply put, an updated CMS leads to a more secure website.

Here’s an example of an outdated CMS:

outdated cms

You can see that their CMS is outdated by a couple of versions, some plugins need to updated, and other items need updating. The easy way to prevent an outdated CMS is to regularly update it.

5. Vulnerable Scripts - XSS

Cross-site scripting (XSS) attacks take place when malicious scripts are injected into trusted websites. Once the script has been executed, it can access cookies, tokens, or other sensitive information. It can also rewrite content of the HTML page and send malicious scripts to a user’s browser that wouldn’t be able to detect the malicious scripts. It’s problematic enough to have affected Facebook, Google, and Paypal users.

6. Vulnerable SQL - SQL Injections

Structured query language (SQL) is the is the language used to communicate with a server and manage data. Similarly to XXS, SQL injections take place when an attacker injects a malicious input into SQL queries. This can allow attackers to access or extract data they should not have access to.

How To Prevent SQL Injections

To prevent SQL Injections, you should:

  1. implement input/data validation
  2. use parametrized queries/prepared statements
  3. never let the application code directly use the input
  4. sanitize all input—not just the login forms
  5. remove potentially malicious code
  6. hide database error messages

7. Outdated PHP Version

PHP versions are supported for two years after their release date. During that time, bugs and security issues are fixed and released. Ensuring that your website is running on the latest version of PHP will allow your website to run without issues.

sign up here newsletter example
add to cart button example

8. Vulnerable Code - Clickjacking

Clickjacking occurs when you don’t have a preventative code or plugin on your site. The ckicljacker modifies links on your website that take your customers to a different location than they intended. For this reason, clickjacking is also called a UI redress attack.

How To Prevent Clickjacking

There are two common ways to prevent Clickjacking:

  1. Send the appropriate Content Security Policy (CSP) frame-ancestors directive response headers. This tells the browser to not allow framing from other domains.
  2. Add code in the UI. This ensures that the current frame is the most top level window.

9. WordPress User Enumeration

Attackers can use this hacking method to trick your customers into entering secure information by leading them to believe they’re on your site.

User enumeration occurs when an attacker runs a script against your site to reveal a list of your website’s usernames. If any of your users have weak passwords, this could put you at risk.

At Onsharp, we scan our customers’ websites every 90 days as part of our Website Essentials Package, and we rescan until the websites receive a passing score.

You can also use our free Triple Threat Website Scanner and get actionable tips on improving your site’s security, speed, and SEO.

Ready to Learn More? Download our Website Security Fundamentals Whitepaper

Related Blog Posts

Tags :

share this article

Facebook
Twitter
LinkedIn

Subscribe

Sign up to receive helpful tips and insights, product & service updates, news, and events.

Onsharp Logo