How to protect your site from infection
The article contains a number of recommendations to protect your site from infection.
How do I prevent attackers from inserting malicious code on my site?
Use reliable software.
Download distributions of web applications and CMS extensions/plugins from trusted sources.
Update your CMS and server software regularly. Follow the news about vulnerabilities of your CMS.
Audit security of the servers regularly.
After installing the CMS, remove the installation and debug scripts.
Use complex passwords for the web server software (FTP, SSH, hosting administrative panels and CMS).
A complex password is more than 11 characters long and includes letters of different cases, numbers and special characters.
Don't use the same passwords for accessing different services.
Even the most reliable passwords should be changed every three months, to insure against accidental leakage.
Don't save important passwords in web browsers, file managers, as well as in the FTP, SSH and other clients.
Keep track of the computers' security.
Install antivirus software with regular updates on all computers used for working with the server (webmaster's, administrator's, content manager's, sales manager's computers, and so on). Also, update the operating system and applications in time.
Control the data entered by the users.
In the user input, filter the HTML markup that can be inserted into the code of the site pages.
Check if the received data has the permissible size, values and intervals .
Never place information received from the users directly in
eval()calls, SQL requests or type conversions. Always check and clean the information received from potentially dangerous elements.
Never leave parameters used for debugging, experiments with new or disabled functions in the draft version of the code.
Use WAF (Web Application Firewall).
Control user access rights, and in particular protect yourself form Cross-site request forgeries (CSRF).
Restrict access to CMS and database panels (for example, phpMyAdmin), as well as to:
Version control systems metadata (such as the
Hide the server software version if possible (CMS, web server, interpreter, DBMS).
Configure your firewalls and network infrastructure only to let through the connections you need.
Try to avoid clickjacking. The simplest ways to do it are:
X-FRAME-OPTIONS DENYHTTP header outputs.
if (top.location != window.location) top.location = window.location
top.location = 'http://example.com'
How do I prevent the users from inserting malicious on my site?
Malware may be present in uploaded content (accidentally or intentionally) if the users are allowed to upload text or files to your site.
Protect your site from bots.
You can use special CMS plugins or search blacklisted users to protect yourself from the hacking bots.
Check the information uploaded by users.
Don't insert code into the <iframe>, <object>, or <embed> tags directly on site pages, and don't upload .jar, .swf, and .pdf files (the site can use them to generate such tags automatically).
Keep a “whitelist” of allowed HTML tags to discard everything else without extra processing.
Check the links inserted by the user, for example with the Yandex Safe Browsing API.
How do I avoid inserting malicious code accidentally?
Check the software you use.
Download CMS distributions, widgets, libraries only from official sites or from the trusted sources.
If you have to download a distribution from a questionable site, check it for malicious code.
Carefully study the code of any additional components that you want to add in the CMS.
Be careful with advertising blocks and code.
Insert on your site pages only the ad blocks provided by proven advertising systems.
Before joining a new partner system, look for reviews about it and for examples of distributed content.
Avoid “unique offers” (suspiciously high pricing for tracking tags and ad blocks or mobile traffic monetization).
If possible, embed static content (links and pictures) on your pages . Avoid the <script> and <iframe> elements that load. Accept Flash, Java and ActiveX components only as a source code which you can check and compile yourself.
Don't use partner programs with hidden blocks.
Carefully check access to service interfaces. Give access to the site only to those who need it and as long as they need it.
Revoke the access from professionals who carry out one-time work, previous owners, people who aren't responsible for maintaining the site (for example, marketing professionals or managers).
When you engage other people in working on the site try to get some recommendations. After the work is done, remove their accounts or change passwords.
If your site is static, some partners may request FTP access to it to be able to change banners. Providing such access is dangerous. If the partner's database is hacked, the hackers will get direct access to the files on your site.
Search for reliable and high quality hosting. Not all hosting services can ensure the security of their servers, while others may even intentionally insert malware on the clients' sites.