Recently, I received a website inquiry asking about SQL and XML injections and decided to share my response here to help others with the same questions.

What is a SQL injection?

A SQL injection is when someone injects, or inserts a SQL query using a meta character in a website’s form field to gain access to sensitive data in a database, make changes to a database, or otherwise exploit a database or a website that is powered by a database. This is a known vulnerability and can wreak havoc on a website and the database that powers the website. This has been used on websites to insert malicious code, redirect a website to another website, and more. Often, older versions of PHP or SQL contribute to this type of vulnerability because of known security issues. This can become an problem when programmers write code and then do not update the code to keep up with the latest releases. Form validation and limiting what can be entered in fields is extremely important because any fields on a website, can make a site vulnerable.

What about XML?

With XML, what’s known as XML External Entity Injection (XXE) occurs when an external entity is referenced to reveal information during the XML parsing process. This could include server files, data including private user data, port scanning, and more. Additionally, XXE attacks could result in overwhelming computer resources when external entities reverence each other and overloads the server’s memory.

“How do I prevent upload vulnerabilities?”

Your second question, “How do I prevent upload vulnerabilities” is a bit trickier to answer. The Open Web Application Security Project is a great resource. Here are some links that I hope will help. 
https://www.owasp.org/index.php/Category:Vulnerability
https://www.owasp.org/index.php/SQL_Injection
https://www.wikihow.com/Prevent-SQL-Injection-in-PHP
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

If you have your own website and want to be able to update it easily while keeping it safe, you might consider a WordPress framework. You can easily run WordPress on your website’s server. WordPress can be downloaded from https://wordpress.org and runs best and is most secure on Linux servers with SQL database access. Many web hosting providers offer a simple application install for WordPress. If you do install WordPress, be sure to install the Wordfence Security plugin ( https://wordpress.org/plugins/wordfence/ ) which scans websites, alerts to vulnerabilities and needed updates, and protects against unauthorized access. 

Also, if you use forms on your site, you may want to integrate Google’s recaptcha to protect your site from spam form submissions https://www.google.com/recaptcha/intro/v3.html .

I hope this helps demystify some known and widely reported security vulnerabilities on websites.

You probably know how important it is to keep your website updated. When I talk with folks about their websites, I often ask how their site is working out and what could it do better for them. Sometimes, I get the response,

“I’m not sure, I haven’t done much to keep my website updated.”

Yup, we’re all busy.

At any given moment, we’re all probably juggling a half dozen things at the same time. But, not touching your website for months, or sometimes years, is never a good thing. Even when I’ve not posted on my blog or my other websites for a while, I still administer and maintain them pretty frequently. I’ll tell you why this is important.

Check on your website to keep it safe

I’ve seen some bad cases of website hacking with malicious code or malware. Finding the root of the problem and removing it effectively can be tricky and time consuming. Having said that, the sites that have had the worst-case scenarios were left for long periods of time without any administration or even site visits by the owner.

HTML Website Updates

If your site is an HTML site, checking the site and updating the pages can prevent or at least detect malicious activity early.

Keeping your WordPress site current

With a WordPress site, it’s just as important to check your website to ensure that you’re running the latest version, your plugins are current, and your theme is running the newest version. WordPress updates come out with security fixes to protect against known vulnerabilities. Keeping WordPress updated is essential for protecting all of the hard work you’ve put into your website. In addition to keeping WordPress updated, don’t forget about checking installed plugins and themes for the latest version.

Update your site to keep relevant

Google is in the business of delivering relevant results. When Google indexes, or checks out your website, it’s looking to see if there is any new or relevant content it can include in its search engine results.

Old and outdated pages or posts lose points when it comes to being relevant. When a website’s pages or posts are old, it goes down in ranking, especially when compared to similar sites with newer content. If you want your website to come up in search engine results, there has to be new pages and posts added or updated frequently.

Run performance checks to keep it optimized

In addition to keeping sites that I work on updated, I also check them to make sure they’re running smoothly. A couple of tools that I use are Google’s PageSpeed Insights and HubSpot’s Website Grader. Both tools give you information on mobile as well as desktop performance and offer hints on what you can do if your site has a low score. Also, here’s an article from Geekflare that lists some more testing tools.

Periodic performance testing lets you see if your site is running smoothly

With periodic performance testing, you will see if your site is running smoothly or if it’s time to make adjustments. By keeping an eye on a site’s performance, I was able to see that the server the site was hosted on wasn’t responding well. This led to the discovery that my client’s hosting was on a pretty old server that needed to be upgraded.

All in all, websites need to be checked and updated regularly to give you the best results.

Photo Courtesy of Shel Rogers Photography | Clovis NM

Photo Courtesy of Shel Rogers Photography | Clovis NM

Online privacy and the passage of the General Data Protection Regulation (GDPR) in the European Union (EU) has been in the news lately.

Read more