Recently, I received a website inquiry asking about SQL and XML injections and decided to share my response here to help others with the same questions.

What is a SQL injection?

A SQL injection is when someone injects, or inserts a SQL query using a meta character in a website’s form field to gain access to sensitive data in a database, make changes to a database, or otherwise exploit a database or a website that is powered by a database. This is a known vulnerability and can wreak havoc on a website and the database that powers the website. This has been used on websites to insert malicious code, redirect a website to another website, and more. Often, older versions of PHP or SQL contribute to this type of vulnerability because of known security issues. This can become an problem when programmers write code and then do not update the code to keep up with the latest releases. Form validation and limiting what can be entered in fields is extremely important because any fields on a website, can make a site vulnerable.

What about XML?

With XML, what’s known as XML External Entity Injection (XXE) occurs when an external entity is referenced to reveal information during the XML parsing process. This could include server files, data including private user data, port scanning, and more. Additionally, XXE attacks could result in overwhelming computer resources when external entities reverence each other and overloads the server’s memory.

“How do I prevent upload vulnerabilities?”

Your second question, “How do I prevent upload vulnerabilities” is a bit trickier to answer. The Open Web Application Security Project is a great resource. Here are some links that I hope will help. 
https://www.owasp.org/index.php/Category:Vulnerability
https://www.owasp.org/index.php/SQL_Injection
https://www.wikihow.com/Prevent-SQL-Injection-in-PHP
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

If you have your own website and want to be able to update it easily while keeping it safe, you might consider a WordPress framework. You can easily run WordPress on your website’s server. WordPress can be downloaded from https://wordpress.org and runs best and is most secure on Linux servers with SQL database access. Many web hosting providers offer a simple application install for WordPress. If you do install WordPress, be sure to install the Wordfence Security plugin ( https://wordpress.org/plugins/wordfence/ ) which scans websites, alerts to vulnerabilities and needed updates, and protects against unauthorized access. 

Also, if you use forms on your site, you may want to integrate Google’s recaptcha to protect your site from spam form submissions https://www.google.com/recaptcha/intro/v3.html .

I hope this helps demystify some known and widely reported security vulnerabilities on websites.

You probably know how important it is to keep your website updated. When I talk with folks about their websites, I often ask how their site is working out and what could it do better for them. Sometimes, I get the response,

“I’m not sure, I haven’t done much to keep my website updated.”

Yup, we’re all busy.

At any given moment, we’re all probably juggling a half dozen things at the same time. But, not touching your website for months, or sometimes years, is never a good thing. Even when I’ve not posted on my blog or my other websites for a while, I still administer and maintain them pretty frequently. I’ll tell you why this is important.

Check on your website to keep it safe

I’ve seen some bad cases of website hacking with malicious code or malware. Finding the root of the problem and removing it effectively can be tricky and time consuming. Having said that, the sites that have had the worst-case scenarios were left for long periods of time without any administration or even site visits by the owner.

HTML Website Updates

If your site is an HTML site, checking the site and updating the pages can prevent or at least detect malicious activity early.

Keeping your WordPress site current

With a WordPress site, it’s just as important to check your website to ensure that you’re running the latest version, your plugins are current, and your theme is running the newest version. WordPress updates come out with security fixes to protect against known vulnerabilities. Keeping WordPress updated is essential for protecting all of the hard work you’ve put into your website. In addition to keeping WordPress updated, don’t forget about checking installed plugins and themes for the latest version.

Update your site to keep relevant

Google is in the business of delivering relevant results. When Google indexes, or checks out your website, it’s looking to see if there is any new or relevant content it can include in its search engine results.

Old and outdated pages or posts lose points when it comes to being relevant. When a website’s pages or posts are old, it goes down in ranking, especially when compared to similar sites with newer content. If you want your website to come up in search engine results, there has to be new pages and posts added or updated frequently.

Run performance checks to keep it optimized

In addition to keeping sites that I work on updated, I also check them to make sure they’re running smoothly. A couple of tools that I use are Google’s PageSpeed Insights and HubSpot’s Website Grader. Both tools give you information on mobile as well as desktop performance and offer hints on what you can do if your site has a low score. Also, here’s an article from Geekflare that lists some more testing tools.

Periodic performance testing lets you see if your site is running smoothly

With periodic performance testing, you will see if your site is running smoothly or if it’s time to make adjustments. By keeping an eye on a site’s performance, I was able to see that the server the site was hosted on wasn’t responding well. This led to the discovery that my client’s hosting was on a pretty old server that needed to be upgraded.

All in all, websites need to be checked and updated regularly to give you the best results.

In my job, I get to talk with a lot of business owners. It’s one of the things I like best about what I do. During these conversations I often ask the business owner what they would like their website to do.

How can your website help you when you’re talking with your customers or clients?

When I ask this question, a lot of the time I’m told that they would like to use their website as a full-color brochure for their business on the go and in the field. This is my favorite answer! Why? Because it means that the website will have the opportunity to work hard for the business owner. It will be something that they’ll use and see value in right away.

Five things you can do to ensure your website works hard for you.

Keep your website current.

Outdated brochures, flyers and posters are often quickly discarded. However, I can’t tell you how many websites I’ve worked on that were 2-3 years old by the time I got to them. This always baffles me because outdated websites have a much broader reach than an outdated handout on the counter. I’m not saying discard your website like the flyers; just update it. If you don’t have ready access to your website, then you need to change that. Thinking about setting up a website for your business? Then make sure that whoever designs your website knows this and knows that you will be updating it. Easy updating should be built into the design.

Make sure it’s mobile friendly.

Studies show that the majority of internet users access the web on mobile devices like smartphones or tablets. If your website isn’t mobile friendly, you’re losing these potential site visitors. You may think, well the website still comes up on a smartphone. Perhaps, but the text, links, and menu or navigation are too small. If your website isn’t mobile friendly or responsive, it’s not working for the majority of internet users.

Include accurate contact information.

With folks accessing the internet on the go, they’re also looking for business hours, phone numbers and directions. Knowing this, websites need to make sure that addresses, phone numbers and business hours are current. Also, make sure your contact information and social media links are easily visible on your website. Having contact information like a phone number and a map for directions toward the top and bottom of pages is a good practice.

Invest in quality photography.

Even if you have a good eye and understand composition, you may want to invest in getting a professional to photograph your business location. A professional photographer not only pays attention to composition, but also has an eye for lighting, white balance, and more complex compositional structures. What does all of this mean? Good photos matter. Especially on websites.

Consider getting schooled in Search Engine Optimization (SEO).

As I’ve probably mentioned before, having a website is good. Having a website that’s easy to find is the bees knees. If your website isn’t coming up in search engine results for what you do or what you offer, it’s time to talk with someone who knows about SEO. SEO employs techniques and strategies that focus on getting websites seen in search engine results using the content of the website. Sometimes this also means adding more content. Nevertheless, it’s about ranking in search engine results without using paid ads (Pay Per Click ads or PPC ads).

If you want your website to work hard for you, taking these five steps will definitely help. Your website visitors will appreciate the time you take keeping the information fresh and accurate along with quality photos to showcase what you do. You’ll definitely see a difference in traffic if you make the move to a responsive, mobile-friendly site and optimize your site to be found in search engine results.