How to protect your website from malicious code
Posted: Wed Jan 29, 2025 9:22 am
What needs to be done to prevent hackers from injecting malicious code?
Install software you can trust
Download extensions, CMS plugins and web application distributions from trusted resources.
Download updates for your CMS and server software from time to time. Stay up to date with news that may report vulnerabilities in the version of the CMS you are using.
Check your server for security regularly.
After you install the CMS, delete romania email list the files that were used for loading and debugging.
Create a high-complexity password for your web server software (FTP, SSH, hosting and CMS administrative panels):
It must be 11 or more characters long and include numbers, uppercase and lowercase letters, and special characters.
Create different passwords for different services.
You need to change your password every three months, even if it is very strong.
Never save such passwords in file managers, browsers, SSH, FTP and other clients.
Check the security system of office computers
All PCs connected to the server (usually these are computers of administrators, webmasters, content managers, sales managers) must be equipped with an antivirus that is constantly updated. The OS and work programs also need to be updated from time to time.
Check the information entered by users
Control the HTML markup of data entered by users and that can be embedded into the code of web resource pages.
Check the data received from users on the server: do they fall within the permitted intervals and lists, and does their size correspond to the established standards.
Do not insert user data directly into SQL queries, eval() calls, or type conversions. First, scan the information for dangerous codes and clean it up.
You should not include parameters you entered for debugging, or tests with new or disabled functionality, in your production code.
Use Web Application Firewall (WAF).
User access rights must be controlled. Be sure to consider how to protect against cross-site request forgery (CSRF)
Access to the database, the CMS administration panel, as well as to configuration files, backup copies of the code, and to the metadata of version control systems should be limited to a limited number of people.
It is advisable to keep server software versions, i.e. web server, CMS, database, script interpreter, away from prying eyes.
Network infrastructure and firewalls should be configured to allow only connections needed for work.
Minimize clickjacking. This can be verified by:
JavaScript constructs of the form
if (top.location != window.location) top.location = window.location
or top.location = http://example.com
HTTP header X-FRAME-OPTIONS SAMEORIGIN or X-FRAME-OPTIONS DENY.
Hosting companies should constantly monitor their sites using the Yandex.Webmaster API or Yandex SafeBrowsing API.
Install software you can trust
Download extensions, CMS plugins and web application distributions from trusted resources.
Download updates for your CMS and server software from time to time. Stay up to date with news that may report vulnerabilities in the version of the CMS you are using.
Check your server for security regularly.
After you install the CMS, delete romania email list the files that were used for loading and debugging.
Create a high-complexity password for your web server software (FTP, SSH, hosting and CMS administrative panels):
It must be 11 or more characters long and include numbers, uppercase and lowercase letters, and special characters.
Create different passwords for different services.
You need to change your password every three months, even if it is very strong.
Never save such passwords in file managers, browsers, SSH, FTP and other clients.
Check the security system of office computers
All PCs connected to the server (usually these are computers of administrators, webmasters, content managers, sales managers) must be equipped with an antivirus that is constantly updated. The OS and work programs also need to be updated from time to time.
Check the information entered by users
Control the HTML markup of data entered by users and that can be embedded into the code of web resource pages.
Check the data received from users on the server: do they fall within the permitted intervals and lists, and does their size correspond to the established standards.
Do not insert user data directly into SQL queries, eval() calls, or type conversions. First, scan the information for dangerous codes and clean it up.
You should not include parameters you entered for debugging, or tests with new or disabled functionality, in your production code.
Use Web Application Firewall (WAF).
User access rights must be controlled. Be sure to consider how to protect against cross-site request forgery (CSRF)
Access to the database, the CMS administration panel, as well as to configuration files, backup copies of the code, and to the metadata of version control systems should be limited to a limited number of people.
It is advisable to keep server software versions, i.e. web server, CMS, database, script interpreter, away from prying eyes.
Network infrastructure and firewalls should be configured to allow only connections needed for work.
Minimize clickjacking. This can be verified by:
JavaScript constructs of the form
if (top.location != window.location) top.location = window.location
or top.location = http://example.com
HTTP header X-FRAME-OPTIONS SAMEORIGIN or X-FRAME-OPTIONS DENY.
Hosting companies should constantly monitor their sites using the Yandex.Webmaster API or Yandex SafeBrowsing API.