Website Security Measures

I would like to share my personal observations and knowledge relating website security. You can add more by commenting this post.

Password Hashing

Passwords and other credentials must be stored hashed in Database. Use md5() or sha1() functions.

Password Renew

On password renew, don’t send password directly to user email rather send a renew password link or a temporary password (temporary password must be renewed on first login). 

Use Strong Login Credentials

Only accept alphanumeric user name from user during registration. Check strength of password entered by user. For that you can use jQuery Password Stength Meter

Using Captch Code

Use Captcha code with register or contact forms.

Form Validation

Must use form validation before submitting. Use strict validation rules for username, password, emails and phone number.

Uploading File

Check filetype and file size when uploading. Restrict the user to upload only the asked filetype (e.g. image .png, .jpg, .gif, .bmp) file. You can also use mime type to check file type.

SQL Injection Prevention

Don’t directly user  $_REQUEST, $_POST, $_GET, $_SESSION  variables in Database queries first need to clean them by built-in functions ( e.g. mysql_real_escape_string() ) to remove any unnecessary characters.

Query Strings

Don’t User open/readable keywords in your links (query strings). Better to use them as encrypted for sensitive data.

Javascript Usage

Use minimum Javascript code. Always try to place Javascript at the bottom of the page before closing body tag </body>.

Display Errors

Don’t display errors or notices on live sites. Try to handles all possible errors and exceptions by your code. Use mysql_errors() when testing but not on live. You can log errors in log file by using error_log() function in PHP.

File / Directory Permissions

Don’t give Publicly 777 (full permission) to any directly or file. Use read-only permissions for files. To fix permissions on your server use following commands 

find . -type d -exec chmod 755 {} ;
find . -type f -exec chmod 644 {} ;

USE of SSL certificate

To encrypt client/server transmission SSL certificate must be used on website. 

Database user privileges

 Don’t give all privileges to a database user. Just try to give necessary privileges when creating database user.

Database Backup

Take database backup on daily or weekly basis. This will help you to restore your database at anytime in case of hazard.

Trusted Hosting

Use/buy  hosting service from well-known and trusted vendors (Go-daddy, Hostgator or ixwebhosting etc). Do search web about your hosting provider for reviews. This will help you in your decision.