Is your website need security many of web owner not take it seriously that they need website protection. Why anyone want to hack your website and how you can protect that from hacking.
You website need to have strong password so hacker have not easy to crack it . Only set strong password one time and not change it regularly is not enough you need to change you web password in time interval to reduce the chances of password hack. Use alpha numeric password with special character which is not easy to guess and crack your password strength should be 8 character or more for strong password .Use upper and lower case combination with all these .
In advance if you are using any CMS for you website they provide good password check and auto generate random password combination for security reason you can use them easily.
If you are providing file upload facilities for visitor or logged in users you need to take care. Add the file type of file you want to allow user upload on site like image file , word doc file or any other type to restrict all other file type so user unable to upload that on server .Add size limit because very large file may create issue in site process and take time to scan process if you are using antivirus to scan files . Try to save files outside the root directory if possible .Change the Permission of uploaded files folder to chmod 0666 so it can’t be executed. You can also give permission by .htaccess for that
<Files ~ "^\w+\.(gif|jpe?g|png)$">
allow from all
You can add any file type here and add the code in .htaccess file on root to apply condition.
Other solution i have mentioned that to save files in private folder outside the root in that way you need script to access files from that private folder .
Most hosting provide provide facility for this you can also set it by setting firewall setting and block all non essential ports only allow 80 and 443 for outside all.
If you are trying to upload files try to upload if from secure method like SFTP.On other way add data base on other server and connect if on your server by this way database server cannot be accessed directly and you database is safe in this way .
Use Website Security Tool
If you want to check website security you can use any third party tool to check all website security and they also provide you hint how you can fix security issues which arises in software audit .
If you are using CMS like word press you can use security plug-in like wordfence security
All In One WP Security & Firewall Itheme Security there is many more option available which you can use in CMS word press for security and scanning
You can use other scan my server , sucuri ,Site Guarding etc many more by which you can check you site security issues .
After checking all list you can start working on issue which they list to make site more secure .
Guarding Include Files
In php we many time include files on page as per requirement for our ease which contact code database credential and any other sensitive information . many developer just include the file with extension .inc in that way file can directly accessible as text file only not php because php not parsed it directly .
If any attacker directly accesses this file then he can easily get all the database credential detail and any other sensitive information which is in that file and can attack on related database and other file easily. So always include your files with the extension .php and keep these type of file which have sensitive information out site in a folder which is not directly accessible by any one .
It’s good to check all the related errors and warning if we are developing and application for its security because fixing error and warning will secure our application lack hole .After completing application hide all errors and warning because live hacker can easily trace the vulnerable.
When you are developing any application configure you server as like for development and production server in development server you need to show all the error and warning so that you able to fix all the issue and lack of security easily on development server and when go on live server hide all the errors and warning from you application so hacker not able to see loop hole in site if any .
Protect Session Data
You session data default save in temp file and on shared hosting it can easily accessible by writing script easily .So we need to protect our sensitive information like credit card info password etc from hacker to access that by session data .
You can protect that by sending data in encrypted for so that its not normal readable for any one .You can change the session data store location so that hacker unable to access that easily from default location you can use
session_set_save_handler() for that purpose by your own way .
SQL Injection Attack
Sql injection is the process of accessing data from form input field submission and also from url
And adding that in database and making changes based on data captured and delete table data and many other activity can b done by that way. To fix this you need to use parameteralised query in which pass the parameter in query to access data.
"SELECT * FROM table WHERE column = '" + parameter + "';"
Keep Up to date
Keep you software program up to date with the new latest versions so any issue in previous version will directly fix your site issue. If you are using any cms or software in your site update that time to time according to latest versions.
In Hosting company taken care of his software’s updates and update theme accordingly security time to time you also need to check regularly many time they provide manually option for updates so you need to follow their instruction and work on that to fix any possible security hole if have .