I manage numerous websites that are subject to various forms of attacks. Below are common practices that work well to reduce stress.
Employ Secured Sockets Layer (SSL)
Required for any transaction regarding commerce and identity. Don’t skimp; afford the best encryption possible. Speaking for myself, I always liked the True Business with EV (Green) from GeoTrust as being affordable.
Choose Assets Wisely
The three pillars of a Domain are:
- Domain Name Registrar: Security and Privacy are paramount. I dislike being nagged with ridiculous services, to having a Registrar expose my details, or sell my domain search results to cyber-squatters.
- Domain Host: Chose one having a solid reputation, timely responses to technical tickets, able to host cutting edge web development, offer flexibility of services, allow scheduled tasks, cloud features, backup/recovery, few and limited down times, and able to fend off DoS attacks.
- SSL Certificate Provider: Reasonably priced, high-encryption, great protection, solid security, and easy to work with.
Often the Domain Host can provide stacked discounts through all-in-one services.
Obfuscate Email Addresses
A published email address on a webpage is an invitation to exploitation.
- Eliminate the Literal Hyperlink: Just don’t provide one.
- Extend the Address to be human, but not machine readable. Example: “JohnDoe [at] Acme.Com”
- Link to a forms-based system of communication where we can employ better validation rules.
Forms-Based Communication
Best used for Registration, Login, Contact Us, etc.
- Client-side Forms-validation. Google ReCAPTCHA provides added layer of protection.
- Server-side validation
- Receipt validation; important redundancy for Account registration and changes.
Authentication/Authorization (AuthN/AuthZ)
Validate the User, their Role, and Access, otherwise reject and redirect. Two-method validations are commonplace.
Redundancy
Utilize layers of protection like castle walls that circle Fortress, Keep, King, and Treasure.
Traffic Redirection
Allow privileged access, and deny others.
Solid Error Trapping
Be unbreakable. Keep forms simple and practical. Log as appropriate, but not excessively for best performance.
Analytics
Leverage excellent resources to extended datasets that are useful for extended intelligence.
Good Hunting