Protecting Your Website Against Hacking

Today in the age of affiliate marketing, more and more people are creating their own sites to market products. Having your own website will definitely help you in getting more customer purchasing your products. You will also attract hackers to play around with your site, if you have not taken enough care to protect your site. There are many hacks possible in almost all the programming languages used for websites today. With little care you can protect your site and your online identity.

The most common type of hacking is the Cross site scripting also called as XSS. The cross site scripting can be carried out in different ways, DOM-based, stored or reflected. Instead of looking into what these hacks are, it's best to understand how you can protect your sites from such hacks. The best way to protect your site from such attacks, is to ensure you validate all the inputs to your site. Any form of inputs like page headers, cookies, query string, hidden fields used on forms and forms fields used to gather some sort of input from the users should be validated. Many site owners normally user web forms for subscription to gather user email. Such inputs should be validated against expected input types and length. Any input to the web forms should always be HTML encrypted to avoid any unwanted script elements. The best way to validate inputs to the site would be to validate against what should be allowed rather than what should not be allowed.

The second most common hacking technique is the Google hacking. Today most search engines provide lot of tools to webmasters to track and analyze their site rankings. Google has become the most important search engine and it seems to be on top of the list for both web site owners as well as hackers. Google hacking refers to the techniques used to gain access to unauthorized information through advanced search queries. Google hacking employs searching sites using special characters, logical operators and operators such as cache, filetype, link, site, intitle, inurl. Many web masters put critical data on their servers to enable access from anywhere. Though such documents are kept isolated, it is easy to get access to such pages. Unless specified in the robots.txt file, all the documents on a particular site are indexed by the search engine spiders. Such documents are then available to the public via search engine queries. Some of the advanced queries like ext:doc or filetype:doc will search all the word doc files available on the servers. Similarly site:xyz.com private will search for all instances of private on the site xyz.com.

To protect yourself from such attacks you should take necessary precautions like avoiding any storage of critical or sensitive data on the server. If it is necessary, use robots.txt file to avoid indexing of such documents or folders. E.g. User-agent: *
Disallow: /documents

These instructions will not allow the contents of folder "documents" to be indexed by any search engine spider. Similarly the meta tag "meta name='SPIDERNAME' content='NOARCHIVE' " can be used on individual HTML pages, if you do not want that page to be indexed by any search engine. Here you need to put the correct spider name of search engine you want to block.

Lastly you should also check if your web server allows directory listing. Directory listing will allow anyone to see the contents of directory by typing in the website address and existing folder name. If you type http://domainname.com/somefoldername/, and you see the contents of the directory, you should immediately talk to the web host and get it disabled for your site.

Though it is virtually impossible for a normal website owner to avoid all hacking attempts, it is possible to minimize them using some basic precautions.