I recently wrote down a topic for an article to post here on Associated Content. It was about shortening URL services/sites, like tinyurl, bit.ly, etc. The first idea that came to my mind was what it would be like for hackers to get into those services and redirect the massive traffic!
Well, I recently came across a post about just that. Cligs, a URL shortening site, was hacked. As you know hackers are looking out for any type of sites to hack. So if you have a site, make sure that it passes the security checklist below.
Top 10 Signs That Your Site Can Easily Be Hacked
10. Administrative login credentials are admin and password, or admin and admin.
Most open source packages (and other types of software packages) usually come with default login credentials. Never use default credentials, always change them to something more secure.
9. Login credentials are stored as clear/plain text.
Never store login credentials (especially password) as plain text. If your data stored ever gets hacked, then your other site components will be vulnerable.
8. Login credentials requirements for Membership Section are very loose.
If your site has a membership section, make sure that the requirements for login credentials (username & password) are very strong. For instance, you should not allow for password/username that is only 4 characters long. Doing that will give hackers an upper hand; they can easily use automated scripts to generate random combinations.
7. Forgotten login credentials are sent to users via email.
Email is not a secure communication channel. Nothing is encrypted. So if users forgot their login credentials provide them with temporary credentials and have the users immediately change their credentials. Make the generated credentials valid for only a certain amount of time.
6. Your Authentication component allows for unlimited [failed] login trials.
You should always lock a given account after a specific number of failed login trials. The main reason for doing that is to fight potential hackers that are using automated scripts to validate credentials. For instance, after 3 failed login attempts, the account should be locked for 24 hours or so.
5. Sensitive information is transferred over HTTP connection.
There are standards that need to be followed when it comes to certain online practices such as storing credit card information, social security, etc. If your site deals with sensitive information, you MUST comply with the rules. Otherwise, you are risking being sued. NEVER transfer sensitive information over HTTP connection; it is not secure. You MUST use HTTPS connection.
4. Technical information is given when errors occur on the site.
Always use a user-friendly page to display [to front-end users] when an error occurs. Any technical information should be logged for site administrators/developers/webmasters but should not be shown to the public. This might reveal security vulnerabilities.
3. You issue queries to the backend store using user input, but no verification/validation is performed.
You should NEVER trust user input. Therefore, if you are doing processing with user input, you should ALWAYS check the input. Make sure it matches what is expected. Failure to do that might lead to what is known as SQL injection.
2. You are storing user input, but no server validation is performed.
Much like number 3 above, you should ALWAYS perform server validation on user input. Do not rely simply on client-side validation. Client-side validation can easily be disabled or faulted. Also, when displaying user input on the front-end, ALWAYS perform HTML encoding.
1. User generated areas are not monitored.
This is the biggest mistake you can make. User generated areas should strictly be monitored. The security restrictions should be very tough, filtering bad links, unsafe content, etc.
Security comes before anything else, even before money and customers/clients. You can easily lose a large client base, with just one security failure.