Top 5 Ways To Protect Your Website From Spam Attacks By Hackers
All websites are potential targets for SEO spam for adding backlinks to benefit the hacker's web site and/or damage the reputation of your website with negative backlinks. In fact there are a lot of SEO hackers advertising their services for performing such tasks, and there is a plethora of software available that anyone can use to perform such tasks.
They call them "article submission software" and while they may seem like an ethical approach to submitting advertising to web sites catering for blogs and classified ads, they are commonly used for spam attacks. While they may include a list of known submission sites, they can also probe the Internet for such things as blogs and forums, and testing for vulnerabilities to exploit and inject their own data. To ensure that exploits are not possible, here are some things that you can do.
1. Disable write permissions on public facing files and folders
While many CMS require write access to be able to update plugins automatically, it is not recommended to leave write permissions intact at all times. In fact to prevent everyone from being able to upload what can be malicious payloads, no files or folders facing the Internet should be left writable by everyone. By "everyone" I mean the public and that should include logged in users as well because they will go to the trouble of creating and validating an account just to get their spam online.
If you are using a CMS like WordPress, Moodle, Drupal or Joomla, make sure that any plugins that you have installed have been vetted by the CMS core developers and that they are up to date. If a plugin was not available through the CMS home site, have your web developer check the code to ensure that by using it that you are not creating a huge hole in your website defense.
2. Prevent anonymous posting to your website and moderate all submissions
If you have a blog or forum on your website, spammers will be drawn to it like a magnet because there is nothing to prevent them from blasting away with posts that can include spammy backlinks to their website and/or damage your reputation by spamming with backlinks to generate negative SEO for your website. So the first step toward preventing that from happening is to require that the poster to create a membership, but not automatically approved because there is post submission software specially designed to automate that task also. Have them register to create a membership, and also require confirmation of their email address by responding to an email sent after registering. Until the link is clicked on that validation email their account should not be active and not allowed to post.
That may slow them down but they will go through this process to get their spam online. So the next best thing to do is moderate all submissions, including new posts and changes. Posts and articles should not be made live until you or your staff have checked them and deemed them suitable for publishing on your website.
3. Prevent posts from containing HTML that can include hyperlinks for backlinks.
SEO spam is of little use to anyone if it cannot include hyperlinks to create backlinks to sites that they want to promote or to negatively impact your reputation. So preventing the use of HTML to be able to include a link in the text is most recommended. Additional filtering can be used in the form submission process to remove any text prefixed by "http" etc.
4. Sanitize input fields and database requests
The days of hard coding HTML have gone and most new websites these days are using CMS which delivers web pages dynamically from database records. So even if your web pages are locked down and safe from overwrite, your database can be targeted to inject spam into your records. If that happens the result can be disastrous because while it may be clever to inject content, they may not be so clever to limit the injection to the correct table columns which can result in your website crashing due to data contamination.
Sanitization of all input fields and database requests is strongly recommended to ensure that the appropriate data type is used, and that it doesn't include words and symbols that can be used to send commands to your database to manipulate data. Out of the box CMS solutions like WordPress should already have such filtering in place, but often the CMS can be customized by web designers and unvetted plugins can be added that may undermine their defense.
5. Use website protection software
For mission critical websites and information centers where input can be submitted by multiple authors, website protection software or
PDF security software is highly recommended. For example if data and reports are being published such as those for technical guides, test results, online courses and article submissions, one sure way to prevent their content from contaminating or compromising your web pages is buy publishing them as PDF, either for download and desktop reading, or for online reading embedded on web pages. Using PDF protection and encryption will prevent any and all injection attempts to alter the PDF content.
Website protection software can further protect your web content by adding an additional layer limiting access to sections of your website or to only the web forms used to manage their input. By requiring that access to those pages be restricted to specific web browsers or a custom web browser, access from all other applications can be cut off, thus preventing the use of all spam and website exploit software. For example the ArtistScope Site Protection System (ASPS) uses a server filter to encrypt web pages that can only be decoded by the ArtisBrowser. The ArtisBrowser is the only software that can send page requests that are accepted by the ASPS server filter, thus forming a most secure tunnel between website and web browser that cannot be exploited even by packet sniffing software.
NOTE: The use of Captcha to prevent spam has not been mentioned here because spamming software can still read disfigured letters and numbers, and most Captcha scripts fail in one type of web browser or another.
Author: William Kent
Date: 6th August 2020
Return to DRM and Copy Protection