As Internet usage in Africa continues to grow, it appears many more people are beginning to embrace the fact that the web can actually change the way a lot of things are done in Africa. At least that much is clear, judging from the number of web-related services popping up all over the place lately. From social networks to eCommerce websites, and even online payment platforms, the web seems to be the "playground" of choice for nearly everyone in Africa today. But while this trend is encouraging -- in terms of growth and development for Africa -- it is increasingly looking as though a lot of (web) content publishers out there seem to have forgotten, or perhaps even do not know, that as amazing as the web can be, it could equally be disastrous. Ignoring the important minor details As impressive as some of these projects out there are, many are hugely lacking in security. Quite a number do not adhere to basic security practices such as enabling encrypted communications for sensitive areas (signup/registration pages, login/members area, etc) using SSL certificates, to prevent eavesdropping on data being transmitted through these areas. I recently ran into a couple of websites, including (strangely enough) a payment processor's website, that did not use any form of encryption for their registration pages. This is indeed a worrying trend. With all the security exploits and data theft going on in the world today, security should be the main priority for content publishers, however, a lot of content publishers do not appear too bothered about this. It is important to remember that while there are a lot of good and honest Internet users, there are equally a good number of malicious users out there who either simply derive fun in finding and exploiting security holes in web sites and applications, or hope to make a quick buck off this activity. Securing your website - the basics The Internet is a public place and you cannot afford to take any chances when publishing data. Here are a few threat sources and basic security steps to address them that could save you a world of trouble later: Outdated scripts There's nothing an attacker loves more than an outdated script. Most web content publishers use a lot of 3rd-party scripts, plugins, and add-ons on their websites - the most common being popular content management systems such as WordPress, Joomla, and, Drupal. These apps are typically open-source and code is readily available not just to you, but attackers as well, which means that security holes can be found and exploited. The publishers of these apps know this only too well, which is why they release security updates from time to time to address any security issues that may have been found. We host content for thousands of web publishers, and of all the exploits we encounter, at least 80% are carried out because the attacker was able to exploit a vulnerability in an outdated script/plugin/addon. Open Directories and Installation scripts I always say that "you cannot effectively attack what you cannot see". One of the most simple, yet effective techniques for protecting against an attack on your site is to obscure directories. Most web servers, by default, are configured to display a list of files and folders in directories that do not have an index file (index.html, index.php, default.html, etc). Turning off directory listing on the server ensures that no one can see the content of folders without an index file. If your site is hosted on an Apache/Unix server, you can do this by adding this line to your .htaccess file: Options -Indexes. Also, if using 3rd party scripts and software, it is generally a good idea delete any install or upgrade scripts/folders. Leaving these on your server could constitute a vulnerability for your website because anyone else who is familiar with the script or software can locate them and go on to cause real problems for you. The same goes for directories that contain the admin and/or member area of your software. We are seeing that more (and more) content publishers are using CMSes (WordPress in particular) to create and publish content. This security plugin does a pretty decent job of securing your wp-admin directory, as well as providing tools for configuring most of the recommended WordPress security tweaks. Error Reporting While this can be very useful for debugging on a testing server, it could be extremely dangerous in a production environment. Errors thrown back from a web server normally contain full directory paths, including the hosting account username in most cases. An attacker can use this information to guess the username/password combination for your website - especially if you are using a weak password. Unsecured Web Forms I cannot even begin to stress the importance of securing your forms. Web forms typically submit to a script on your website - in most cases the script connects to a database on your server. Needless to say that a form that is not properly coded can allow an attacker do all sorts on your website. A hacker could enter SQL query or scripting code into a field in your forms that is not properly secured. Such SQL injection attacks have caused lots of problems for websites for years, and they are still a major threat today. One basic way to prevent this is to use "maximum length" limits for your form input fields, however, it is also a good idea to provide some type of validation/verification in the script too. Bottom line: If you really do have to allow users enter their own values (instead of selecting from a drop-menu or other selector), check the data type of incoming data (numbers, strings, etc.), validate the data in your script, and write database queries in such a way that a hacker cannot insert code into the form that would alter or manipulate your query. To name a few ... With over 780 hack incidents recorded between January and July this year, online and data security should be vital to any web content publisher, not to mention web-based service providers. Website security actually goes way deeper than this and can get much more technical than this, but this should (hopefully) help you protect your site against the more common and basic threats.
