Although my website continues to be not even close to done, I have began considering web security. This website is going to be very public and contain information people assume holds true, which i wouldn't want hi-jacked. It would be a tragedy is site got compromised, and so i began considering some methods to safeguard it, or fight.

Everything has been manufactured with dynamic html through PHP, aside from error messages, designed to use javascript popup alerts triggered by PHP snacks. You will find textbox forms and dropdown boxes, all enveloped with htmlentities to avoid code from being run.

And So I began thinking, "do you know the ways in which my site's security might be jeopardized, what weapons of preference do cyber-terrorist use?"

  • I understand about altering the origin code from the site with tools like firebug or chrome on their own, but that should not matter because I personally use PHP, and I am more concerned about what Everybody sees.

  • They are able to use javascript injections

  • They might submit code to complete towards the forms

  • They might Web sites the website, which may crash it and also to which I'm not sure associated with a defense. However I really do not think I'd be handling a entire faceless number of internet megaterrorists.

  • They might alter the html of email submission forms to obtain my password delivered to me (them).

  • They might bruteforce my password for that server/ftp, however i use strong passwords by utilizing all kinds of figures on the US keyboard.

What exactly would be the ways can one safeguard my website from being compromised? What exactly are all of the ways (or general tactics and groups) that cyber-terrorist decide to destroy or exploit sites?

Are the things in the listing of defense traps a great or possible idea??

First thing's first, security has become a area, far too broad for any SO question, but I'll attempt to address a couple of of the things that you pointed out.

First of all, In my opinion you are underestimating the resourcefulness and danger of a few of the attacks which programs are uncovered to on the web nowadays. The products you mention do cover a couple of from the more prevalent and well-known attacks however, you can't simply let you know that you are mitigating individuals couple of and become satisfied that the site is going to be safe. Should you expect attention from cyber-terrorist in your site (and even when you do not), you ought to be coding with peace of mind in mind in the beginning. I am not extending its love to try to get into detail on that statement here, as it is the topic of several books, suffice to express the products you pointed out don't even start to cover anything like the quantity of attacks which are available.

For all of the 'traps', clever because they are, I would not bother. Most versions around the 'security by obscurity' idea are usually wasted effort - an assailant will normally have methods for locating the traps before they are tripped, as well as staying away from them entirely. At best, you'd catch them once, they simply employ exactly the same attack to go into again and 2nd time they do not result in the same mistake. All of the impossibility of coding the traps, and needing to undergo annoying programs to sign in like a legitamate user for no real grow in security.

Finally, I believe you need to focus less on brute forcing, and much more around the attacks that derive from taking advantage of weaknesses inside your actual code, database structure, server solution, etc. Sure, implement your concept that blocks logins for some time after x unsuccessful attempts, but actually the right security solution here's getting passwords that will have a prohibitavely very long time to brute pressure and ensuring they are not distributed to anybody or, (paradise forbid) saved in plain text around the database.

Individuals are only a couple of ideas, anyway. I'd recommend obtaining a magazine about them, as it is far to wide a place to describe within an answer here, and that i not have the expertise to do this anyway.