Avoid File Uploads

Another measure to prevent website from hacking is restricting users from uploading files. When you allow users to upload files to your website your website becomes vulnerable to website security risk. There are number of risk associated with file uploading, as the file being uploaded could contain a script that when executed on your server, completely opens up your website.

If you have any kind of file upload form then you need to treat all the files with great suspicion. Images can easily be faked and if you are allowing users to upload images, you cannot just rely on the file extension to verify that the file is an image.

What you need to do is prevent direct access to uploaded files altogether. With this solution, any files uploaded to your website are stored in a folder outside of the webroot or in the database as a blob. If your files are not directly accessible you will need to create a script to fetch the files from the private folder (or an HTTP handler in .NET) and deliver them to the browser.

This will ensure that malicious or fake files don't get uploaded to your website.