원격 서버에 파일을 추가하거나 수정할 때, 로컬에서 작업하고 서버에 업로드하는 것은 상당히 번거롭습니다. 그래서 텍스트 에디터 중에는 FTP로 서버에 접속해서 바로 작업할 수 있는 기능을 포함한 것이 있습니다. 대표적인 것은 에디트 플러스입니다.
프로그램 자체에 포함되지는 않았지만, 플러그인을 이용해서 FTP 기능을 추가할 수 있는 텍스트 에디터도 있습니다. 대표적인 것은 Brackets, Visual Studio Code입니다. 이번 포스트에서는 Visual Studio Code의 ftp-simple 확장기능을 이용해서 원격 서버에 접속하는 방법을 알아보겠습니다.
FTP 플러그인 중에는 로컬 머신과 서버를 동기화해주는 것이 있고, 서버의 파일을 직접 수정하는 것이 있습니다. ftp-simple은 직접 수정하는 확장기능입니다.
ftp-simple은 ftp 뿐만 아니라 sftp도 지원합니다. 서버에 SSH로 접속할 수 있다면 바로 사용할 수 있습니다.
ftp-simple 설치
확장기능(Extension)에서 ftp로 검색합니다. 여러 가지 확장기능이 있는데, 그 중에서 ftp-simple을 설치합니다.
서버 연결 세팅
F1을 누른 후 ftp-simple을 입력하면 관련 항목이 나타납니다.
그 중에서 ftp-simple:Config - FTP connection setting을 선택합니다.
연결할 서버의 정보를 입력하고 저장합니다.
autosave를 true로 하면 파일을 저장할 때 서버의 파일도 자동으로 저장합니다.
confirm을 true로 서버에 저장하기 전에 다시 한 번 저장할 것이냐고 묻습니다. false로 하면 묻지 않고 바로 저장합니다.
여러 개의 서버 정보를 넣고 싶다면 다음과 같은 형식으로 만듭니다. 중괄호 사이에 쉼표(,)가 들어간다는 것에 주의합니다.
To make sure that your visitors always will be using an secured connection to your website, you have to redirect visitors that are making the first connection via HTTP. Here we make use of the permanent HTTP redirect code (HTTP status 301).
The following steps describe the configuration of Nginx to have the website loaded completely over HTTPS. Please read our background information onSecuring your complete website with SSL
Configuring HTTPS per website
To comply withthe specsyou should first redirect visitors entering via HTTP to HTTPS. We need to configure this per worker (website), the configuration file for your site probably sits in /etc/nginx/sites-available/.
server {
listen 80;
server_name www.servercertificates.com;
return 301 https://$server_name$request_uri;
}
Note that theserver_nameneeds to be changed to your own domainname and the HTTPS version of your site is available, before creating the redirect.
Did you know that your website uses cookies to store confidential data? Did you know hackers can easily steal your cookies? This could put your website and visitors at risk!
Cookies store all sorts of information – from ad preferences of a customer to login credentials and credit card information. Cookies are used widely across the internet and it’s scary just how often they get stolen.
If you’re a victim of cookie stealing or session hijacking, the repercussions of it are severe. Not only do you lose revenue and the trust of your visitors but you could also face legal issues and hefty fines!
But not to worry because today, we’re going to take you through everything you need to know to prevent these attacks!
In this guide, we’ll first learn how hackers steal cookies then we’ll go through the preventive measures.
TL;DR
Worried about your WordPress website? You can secure your site right now by installing aSession Hijacking & Cookie Stealing Protection Plugin. It will scan your website regularly and alert you if a hacker injects any malicious code that will enable them to steal cookies. Using the plugin, you can clean up the hack promptly & avoid repercussions.
As much as we wish, cookie stealing isn’t as simple as a child sticking their hand into a cookie jar! It’s a complex process and to understand what is happening, we need to touch upon the basics.
→ What Is A Cookie?
You can think of cookies as tiny bits of data. It stores information about your interaction with a website. For example, an eCommerce site would like to track a customer’s journey – the products searched for, products purchased, items abandoned in the cart, or which pages they visit.
This gives the store analytical information on what customers prefer, which pages are being visited the most, how long users stay on a page, etc. They can then use this informationto tailor what’s displayed on the websiteaccording to the customer’s preferences.
Cookies give website owners insight into what works and what doesn’t. This helps them determine what they need to change or improve on their site.
Cookies are also used to display relevant ads to users. When you visit websites, you would notice advertisements being displayed.
These ads usually reflect your recent search history. For example, if you searched for ‘laptops’ on Google, you’ll notice that ads on all websites show you ads for dell. These ads are not a part of the website but are handled by services like Google Adsense.
Cookies make things convenient for both the website owner and the user.It can boost engagement and lead to more sales which is great for website owners. As for the buyer, cookies help them get a more personalized experience on a website or see ads that are more relevant.
But there are a lot of drawbacks which we’ll discuss a bit later.
When you log into a website, a session between your computer and this website is created.
For example, when you log into Facebook, a session begins. This allows you to keep using Facebook (even if you close and reopen the web browser) until you click on ‘log out’ and end the session.
If the session wasn’t created,you would need to keep logging in every timeyou wanted new data. For example, if you wanted to leave your Facebook news feed and view a friend’s profile page, you will be logged out of Facebook and would need to enter your credentials again to log in and view the friend’s profile.
This is why sessions are needed. It keeps you logged in so that you can continue to browse through different web pages and navigate the website.
What’s important to note here is that every session generates a set of cookies. We can call these session cookies. And each session cookie has a unique session ID.
A website uses this ID to authenticate the user and establish a trusted connection.
For example, to log in to Facebook, you need to enter your username and password. Next, a session is created with a unique ID. Any requests you make to the Facebook website will be authenticated with this ID. So, when you want to view a different page, you would be sending a request to the Facebook server to display that page. Facebook verifies the ID and displays the content you wish to see.
Now, hackers can hijack your session and abuse this trusted connection. They can send malicious requests on your behalf. Let’s see how.
When cookies are generated, they can only be viewed by you – the site owner. No other website can view your cookies. They belong solely to you.
But these cookies travel across the internet. They are used by ad services and analytics services. So these cookies bounce around from server to server all across the globe. If the connection is not secure, a hacker can easily intercept and steal these cookies.
Now, you may think that if a hacker manages to get information about your shopping preferences, big deal, right?
The problem is cookies stored more than just information about your shopping preferences.It also stores bank details and personal informationsuch as your shipping address and contact details.
If this kind of information falls into the wrong hands, it can be misused for fraudulent activities.
One of the most common ways hackers steal cookies is if they are using the same wifi as you. This kind of wifi hacking is called man-in-the-middle attacks and can take place only if both are connected to the same wireless network. This is why it’s advised tonever use public wifithat is unsecured or used by many. This can also happen to users within the same computer networks.
A few other methods include packet sniffing and by exploiting a vulnerability called cross-site scripting. Today, we’re going to show you in detail how the XSS cookie stealing works.
How Hackers Use Cross-site Scripting (XSS) To Steal Cookies & Hijack Sessions?
To show you how hackers steal cookies usingcross-site scripting(XSS) attacks, we’ll use an example. Let’s assume you visit a website that has a comments section on it.
Any comment you make will be sent to the website’s database. Ideally, this comments section should be configured to accept only text in plain English. But if it accepts special characters as well, this makes it vulnerable toXSS.
A hacker can enter their own malicious codes which will be sent to the database.Once inside, the code will get executed. There are numerous codes hackers can insert into the website to run all sorts of malicious activities like creating a new website admin or stealing cookies.
To steal cookies, a hacker can enter the following code:
Note: This is not a tutorial on how to steal cookies. This article is intended to make website owners aware of how hackers can steal cookies. We do not advise you to carry out any illegal activities.
In the comments section, this code will appear as an image. If you (as a visitor) click on it, you will see an image displayed. But there’s more than just happened.
When you click on the image, this PHP file silently executes the code and grabs your session cookie and the session ID.
Now the hacker can recreate your session and pose as you on that website.They can carry out a multitude of malicious acts. For example, if your cookie contains your credit card or any other payment information, they can make purchases.
Luckily, there are preventive measures to safeguard website owners as well as its visitors from these hacks.
How To Prevent Cookie Stealing And Session Hijacking?
There are two parties that play a role in preventing cookie theft and session hijacking – the website owner and the visitor. We’ll discuss preventive measures for both sides.
→Measures Website Owners Can Take Against Cookie Stealing
As a website owner, if you don’t have a security analyst to handle it all for you, you need to implement the following preventive measures:
1. Install an SSL Certificate
Data is transferred constantly between the user’s browser and your web server. Without SSL, this data (cookies) is sent in plain text. If a hacker intercepts this data, they can simply read it. So if it contains login credentials, it will be exposed.
SSL (Secure Sockets Layer) will encrypt the data before it’s transferred. So even if a hacker manages to steal it, they can’t read the data.
You canget an SSL certificatethrough your web hosting company or from an SSL provider. You can also get a basic free SSL certificate from Let’s Encrypt.
2. Install a Security Plugin
Keep aWordPress security pluginsuch as MalCare active on your website. The plugin’s firewall will prevent hack attempts on your website andblock malicious IP addresses. Plus, it will scan your site regularly and alert you if any malicious code has been entered by a hacker. You can clean up your website instantly. This will help you detect and delete such hack attempts immediately before they cause any harm.
3. Update Your Website
Always keep your website up to date, this includes the WordPress installation, themes, and plugins. Running on outdated software opens many vulnerable spots on your website that hackers can exploit. Ensure youupdate your siteas and when a new update is available.
These updates not only carry new features and bug fixes, but they also fix security flaws from time to time.
4. Harden Your Website
WordPress.org recommends certain website hardening measures that you should implement on your website. This includes using strong and unique usernames andstrong passwords,blocking PHP executionin unknown folders, disabling the file editor in themes and plugins and more. Now, this may all sound like jargon to you so we’ve created an in-depth step by step guide toWordPress Hardeningthat you can follow.
Steps Website Visitors Can Take Against Cookie Stealing
As a website visitor, you don’t have to blindly trust that websites have taken appropriate security measures. You can protect yourself with the following web security protocols.
1. Install an Effective Anti-virus
Ensure the device you’re using to access the internet has anti-malware software installed. This will alert you if malware is detected when you visit a malicious website. It will also remove any malware that you might accidentally download or install on your system.
2. Never Click on Suspicious Links
Hackers target users through the comments section on websites and through emails. Avoid clicking on untrusted links especially ones that lure you with attractive offers or discounts.
3. Avoid Storing Sensitive Data
Storing credit card information on shopping websites makes checkout faster and more convenient. Saving passwords on web browsers like Google Chrome to auto log into websites eliminates the need to remember passwords!
But it all comes with a high risk of being stolen. It’s best to never store sensitive data on websites. It may save you a few seconds, but it also puts you at risk of being attacked.
4. Clear Cookies
You can clear your cookies regularly to get rid of any sensitive information stored in browsers like Google Chrome. Access History > Clear Browsing History. Here, tick the checkbox ‘Cookies and other site data’.
Choose the time range ‘All Time’ or one that is according to your preference. Next, click ‘Clear data’ and the cookies will be deleted from your browser’s history.
That brings us to an end to cookie stealing. We hope this article has helped you gain a better understanding of what exactly happens and how to prevent it.
As a website owner, you need to take protective measures to secure your own interests as well as your visitors, clients, and customers.But we understand that setting up a website and managing it is a hard task.
There is an endless number of things to take care of which is why WordPress security tends to take a backseat many times.
But ignoring the security aspect of your website can prove to be disastrous to all your other efforts.
An easy, quick and efficient solution is the MalCare security plugin.You can think of it as a security guard that you hire.It will work round the clock to regularly scan your website and protect it from attacks. You can rest assured that your website is in safe hands.