Making a Secure Website

Announcements
    • Thread Starter
    Offline

    2
    ReputationRep:
    I'm about to make a website and wanted some suggestions on how to make it secure?


    Posted from TSR Mobile
    Offline

    3
    ReputationRep:
    Well, what are your risks and what are you defending against?

    If I'm just serving up a static HTML site from a boring server I'd have to do things a lot different than handling payments for an ecommerce site!
    • Thread Starter
    Offline

    2
    ReputationRep:
    (Original post by estel)
    Well, what are your risks and what are you defending against?

    If I'm just serving up a static HTML site from a boring server I'd have to do things a lot different than handling payments for an ecommerce site!
    Im just a beginner and I've been asked to create a website and then make it secure


    Posted from TSR Mobile
    Offline

    3
    ReputationRep:
    (Original post by MuhammadDarcy)
    Im just a beginner and I've been asked to create a website and then make it secure
    Then you need to research what makes a website unsecured and solve some of those issues.

    If you're a complete beginner and your first thought is to go on TSR and get someone to give you the answers then you're doing it wrong. If you don't know something then you need to go do your own research and think things through for yourself.
    Offline

    3
    ReputationRep:
    A few tips off the top of my head.

    1. Keep all software on the host server up-to date if possible. Including but not limited to your database, http server, application containers, PHP modules, etc.
    2. Only grant as much permission as required to files and folders on your filesystem
    3. Use SFTP and ensure SFTP users don't have SSH access or CHROOT them.
    4. Enforce a whitelist IP policy on SSH users and on database access
    5. Keep all passwords secure. Length > complexity. Don't use dictionary words. Use a combination of characters, letters and punctuation. Change these passwords regularly.
    6. If using a CMS, only install as many modules as you need. Ensure they're upto date and they don't contain vulnerabilities. Check comments on the module before using them to verify if other users have had issues. Disable public admin access.
    7. Have a backup plan for the website
    8. Constrain all data inputs on the serverside code, not the clientside. Use prepared statements, stored procedures and escape all user input. I suggest writing some validators to check for range, regular expressions, etc before processing them in application logic.
    9 Remove over-privileged DB users
    • Thread Starter
    Offline

    2
    ReputationRep:
    (Original post by NX172)
    A few tips off the top of my head.

    1. Keep all software on the host server up-to date if possible. Including but not limited to your database, http server, application containers, PHP modules, etc.
    2. Only grant as much permission as required to files and folders on your filesystem
    3. Use SFTP and ensure SFTP users don't have SSH access or CHROOT them.
    4. Enforce a whitelist IP policy on SSH users and on database access
    5. Keep all passwords secure. Length > complexity. Don't use dictionary words. Use a combination of characters, letters and punctuation. Change these passwords regularly.
    6. If using a CMS, only install as many modules as you need. Ensure they're upto date and they don't contain vulnerabilities. Check comments on the module before using them to verify if other users have had issues. Disable public admin access.
    7. Have a backup plan for the website
    8. Constrain all data inputs on the serverside code, not the clientside. Use prepared statements, stored procedures and escape all user input. I suggest writing some validators to check for range, regular expressions, etc before processing them in application logic.
    9 Remove over-privileged DB users
    Thanks


    Posted from TSR Mobile
    Online

    3
    ReputationRep:
    (Original post by MuhammadDarcy)
    I'm about to make a website and wanted some suggestions on how to make it secure?


    Posted from TSR Mobile
    Why not just hire a web designer?
    Offline

    0
    ReputationRep:
    keep the back door locked
    • Thread Starter
    Offline

    2
    ReputationRep:
    (Original post by Al-farhan)
    Why not just hire a web designer?
    I've been asked to do it by a friend


    Posted from TSR Mobile
    • Thread Starter
    Offline

    2
    ReputationRep:
    (Original post by PussyGrabber9000)
    keep the back door locked
    Hmm


    Posted from TSR Mobile
    Offline

    3
    ReputationRep:
    use laravel and half of your concerns would be taken care of
    Offline

    1
    ReputationRep:
    I've just finished setting up my own website. I used one of the best WordPress themes that was highly customizable and well-supported. I customized the login page URL. That was the first thing I did when I started securing my website. Also I set up website lockdown and ban some users that are doing unauthorized activity .
    • Thread Starter
    Offline

    2
    ReputationRep:
    Thanks for your replies
    Offline

    2
    ReputationRep:
    If I were you, I'd use one of these website builders -
    http://www.beautifullife.info/web-de...erce-builders/ . I have tried none of them yet. But when I need a website, I'll definitely know where to start from. Good luck!
 
 
 
Write a reply… Reply
Submit reply

Register

Thanks for posting! You just need to create an account in order to submit the post
  1. this can't be left blank
    that username has been taken, please choose another Forgotten your password?
  2. this can't be left blank
    this email is already registered. Forgotten your password?
  3. this can't be left blank

    6 characters or longer with both numbers and letters is safer

  4. this can't be left empty
    your full birthday is required
  1. Oops, you need to agree to our Ts&Cs to register
  2. Slide to join now Processing…

Updated: November 14, 2016
TSR Support Team

We have a brilliant team of more than 60 Support Team members looking after discussions on The Student Room, helping to make it a fun, safe and useful place to hang out.

Poll
Which is the best season?
Useful resources

The Student Room, Get Revising and Marked by Teachers are trading names of The Student Room Group Ltd.

Register Number: 04666380 (England and Wales), VAT No. 806 8067 22 Registered Office: International House, Queens Road, Brighton, BN1 3XE

Quick reply
Reputation gems: You get these gems as you gain rep from other members for making good contributions and giving helpful advice.