In today’s digital landscape, web security cannot be taken for granted. Even websites built with best practices can fall victim to attacks if proper precautions are not taken. Web applications are inherently complex, and staying vigilant is key. For IT teams and developers, adopting strong programming practices is crucial to protect websites and sensitive data. Below are the essential security practices every developer should implement.
1. Never Trust User Input
A fundamental principle in web security is never trust user input. All user data must be validated and sanitized before use. Validation ensures the data is in the expected format, while sanitization removes unwanted or malicious characters.
Even server variables like $_SERVER['HTTP_HOST'] can be manipulated by attackers, making them potential security risks. For example, using:
<form action=”<?= $_SERVER[‘HTTP_HOST’]?>/page”>Or
$config[‘site_url’] = ‘HTTP://’.$_SERVER[‘HTTP_HOST’];However a user (attacker) can modify this variable by sending a different host header. So we should avoid using $_SERVER[‘HTTP_HOST’] and use the domain name instead. E.g
$domain_name = 'mydomain.com';$config['site_url'] = 'HTTP://'. $domain_name;This type of security vulnerabilities leads to phishing attacks and cache poisoning.
2. Understand Cross site scripting (XSS):
In this type of web security attack, an attacker executes an unwanted malicious JavaScript in the user browser. Let’s say a website contains the following input field
<input type="text" value="user" />So an attacker comes and insert script like this
"<script>alert(‘website hacked’);</script><input type="text" value="so it becomes
<input type="text" value="" />
<script> alert(‘website hacked’);</script>
<input type="text" value="" />In this way attacker can execute the script he/she wants to execute and can steal user cookie, spread malwares and perform many other tasks.
Type of cross site scripting are
- Persistent XSS: originates from website database.
- Reflected XSS: originates from victim’s request
- DOM-Based XSS: originates from vulnerabilities in client side code
The prevention for this type of web security vulnerability is to encode and properly validate user input both on the client side as well on the server side.
3. Cross site request forgery (CSRF):
In this type of web security vulnerability, malicious website sends a request to a web application that a user is already authenticated against. The attacker inspects the website and finds the form action and then submit the form from a malicious website to the found action url with the desired values.
To prevent this type of security attacks always include an unpredictable token to each request and verify request again that token.
4. SQL Injection:
This type of security attack arises because of security weakness which allows attacker to take control of application’s database. Thus the attacker can view, modify, delete records or even drop tables. For example, let’s say we have a website that displays student result based on the student id.
Student Id
The actual SQL query is
SELECT * FROM std_result WHERE std_id=1005So it will fetch the user result but what if the user type 1005 or 1=1 into the box. The query will become
SELECT * FROM std_result WHERE std_id=1005 or 1=1In this case the first condition will become false but the second condition will become true and it will fetch all the rows. The attacker can also drop the whole table if he/she types 1005; DROP table std_result; into the box.
This type of attacks can be prevented by using PDO and mysqli with strongly typed parameterized queries.
5. Session Fixation
In this type of security vulnerability an attacker explicitly sets session identifier of a session for a user. It’s typically performed by making a URL like http://www.example.com/index.php...?session_name=sessionid. This URL is then passed to the victim. As soon as the victim clicks on the link, the attack is succeeded.
This type of security vulnerability can be prevented by
- Setting session_use_trans_sid = 0 in php.ini file which will tell PHP not to include identifiers in URL as well as not to read URL for identifiers.
- Setting session_use_only_cookies = 1 in php.ini file which will tell PHP to never use URLs with session identifiers.
- Always regenerate session ID when session’s status changes, i.e. user authentication or storing sensitive information in the session
6. Session Hijacking:
In this type of security vulnerability an attacker gets hold of a session identifier and thus attacker becomes able to send requests as if they were the actual user. As the attacker has got the identifier, so they can perform any thing that can be done by the actual user.
We can’t really prevent session hijacking but we can make it difficult and harder to use by using strong hash identifier, setting additional entropy, changing session name from default PHPSESSID etc.
Note that the difference between session fixation and session hijacking is that of how the attacker gets access to identifier. In session fixation the identifier is set to a value that the attacker knows while in hijacking the identifier is being stolen from the user or being guessed by the attacker. The impact of both is the same.
7. Patch Your Servers
Sometimes you may get hacked even when its not your fault. There have been some severe hacks recently such as Heartbleed and WannaCry. It would be very helpful when you can patch your webservers against such wide ranging hacking techniques. Kernel hardening or OS hardening is a valid technique. For large websites and business concerns, its important to patch your servers, even every week if need be. You can setup a server cron job (scheduled task) to send you list of outdated packages so you can update manually. We do this regularly for our dedicated clients.Finally, you can ask a software company specializing in web security to look into your setup. They will do stress tests, performance tests and penetration tests to find of any vulnerabilities. If you are looking to get your website tested then you can discuss with us.
If you want to get familiar particularly with woocommerce security you can Read.
8. Use Fail2Ban for Brute-Force Protection
Fail2Ban is a powerful intrusion prevention software that protects servers from brute-force attacks and suspicious login attempts. While it’s not WordPress-specific, integrating it into your security strategy can provide an additional layer of protection.
Fail2Ban works by monitoring log files for failed login attempts and blocking IPs that show malicious behavior, such as repeated login failures or scanning for vulnerable pages.
Steps to Set Up Fail2Ban for WordPress:
1. Install Fail2Ban:
On Ubuntu/Debian systems, use:
sudo apt-get install fail2ban
2. Configure Jail for WordPress Login:
Create a custom jail file, for example:/etc/fail2ban/jail.d/wordpress.conf
[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600
3. Create a Custom Filter:
Add a filter file at /etc/fail2ban/filter.d/wordpress.conf and include patterns for WordPress login attempts:
[Definition]
failregex = ^.*Failed login attempt.*$
ignoreregex =4. Restart Fail2Ban
After configuring, restart the service to apply changes:
sudo systemctl restart fail2banThis setup ensures that malicious actors who repeatedly fail to log in are automatically blocked for a specified duration.
9. Disable XML-RPC for Enhanced Security
XML-RPC is an API that allows remote communication with your WordPress site, such as publishing content or managing comments via third-party tools. However, it’s often exploited in brute-force attacks and distributed denial-of-service (DDoS) attacks.
Steps to Disable XML-RPC in WordPress:
1. Use a Plugin:
The simplest way to disable XML-RPC is by using a plugin like Disable XML-RPC.
2.Manual Method (via .htaccess):
Add the following lines to your .htaccess file to block access to the XML-RPC file:
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>3. Disable via Functions File:
Add the following code snippet to your theme’s functions.php file:
add_filter('xmlrpc_enabled', '__return_false');Disabling XML-RPC significantly reduces the attack surface of your WordPress site without affecting most modern integrations, as the REST API has largely replaced XML-RPC for remote functionality.
By adding Fail2Ban and disabling XML-RPC to your security measures, you further bolster the defenses of your WordPress site, ensuring a more robust security posture.
Conclusion
Web security is not a one-time task—it’s an ongoing process that requires constant vigilance, proactive measures, and timely updates. From securing user input and understanding common vulnerabilities such as XSS, CSRF, and SQL injection, to safeguarding user sessions and keeping servers patched, every step plays a critical role in protecting your web applications.
By implementing practices like parameterized queries, thorough input validation and sanitization, robust session management, and intrusion prevention mechanisms such as Fail2Ban, you can significantly reduce the risk of exploitation. Additional measures, like disabling XML-RPC where not needed and maintaining up-to-date server patches, further strengthen your defenses.
While no system can ever be 100% secure, following these best practices ensures that you minimize vulnerabilities and stay ahead of potential threats. Whether managing a small website or a complex enterprise application, investing in a comprehensive security framework is essential for protecting your digital assets and maintaining user trust.
For organizations looking for professional security audits or tailored protection strategies, consulting experienced web security experts can provide an extra layer of assurance and peace of mind.
