Smashing Magazine has put up a good article introducing some of the most common security vulnerabilities in websites. They are all things that site administrators should at least be aware of – including those who never actually touch code, but rely on something like WordPress to sort it out for them. Some of the attack types described include SQL injection, cross-site scripting (including the vulnerability of JavaScript), path traversal, cross-site request forgery, remote file inclusion, phishing, and clickjacking.
For those who run websites but know nothing about coding, there are three take-home messages:
- Update your software, to ensure that security holes get patched as they emerge. If you are still running WordPress 1.5, you have a big problem.
- Keep an eye out for weird behaviours. Are links appearing on your site that you didn’t put there? If so, there is a good chance it has been compromised.
- Remember: the internet is a dangerous place. Running a Mac doesn’t mean you’re safe from malware and other sorts of attacks. Neither does running a virus scanner or avoiding dodgy websites. If you have information you want to keep private, keep it encrypted. If you have data you don’t want to lose, back it up.
Sadly, the great majority of people are annoyingly indifferent about security these days. It seems like a couple of my friends always have their MSN or Facebook accounts taken over by spammers, and others are content to let their blogs fill up with spam comments. Such recklessness makes the internet a worse place, and it would be appreciated if people who choose to engage online do so with a bit more diligence and respect.