How to Protect Laravel, CodeIgniter Sites from Hacking

How to Protect Laravel site from HackingPin

You may think that hackers or attackers will not target or they will not have time to attack your websites. If you have that idea, throw that away. Cause hackers will attack the website for two main reasons:

  • If your site has good ranking and followers.
  • For fun and Timepass.

Being a Website developer people would have faced hacking of their websites at least once in their lifetime. We might think that having a popular Framework like Laravel and CodeIgniter can protect your site, but some hidden loopholes or changes in any code can make the hackers enter easily into our Server. But don’t worry, I’m here to tell you “How to protect Laravel and CodeIgniter site from Hackers” and also will help you to improve its security. In addition, I will explain to you about symptoms of Hacking and the types of hacking attacks.

Two main attacks on a website

  • SQL Injection
  • Cross-Site scripting

How the attackers are entering into your Website?

  • Installing a cracked version or unknown third-party software can make a way for the attackers to enter into your Website.

Advantages of using an Open Source Framework

  1. It will help in improving and introducing new concepts.
  2. Easy reliable as it is very strong.
  3. It comes with a good amount of Security.

Reason for the attack

Modifying the location of the index.php from the public folder can expose all the core files (Vendor folder) in the server. This makes a clear path for the attackers to attack the server.

How to prevent Laravel for attackers/hackers?

To prevent the Laravel for hacking, you have to un follow the direct access of the files from the webserver and hide .env file or code from the server.

Why do we protect the .env file?

Even though Laravel is highly protective, that can be hacked due to some changes happening in our server. You may have doubts like how is that possible? Or protecting a .env file can stop attackers from these kinds of activities? Obviously yes to these questions. Because the .env file has all the data related to the applications and the database and it is openly available publicly. So it’s easy for hackers to access sensitive data on the website. So, the first thing is you have to do the following procedure given below and after collecting that you have to hide the .env file.

Do to that,

  1. Select the .htaccess file and choose Edit.
  2. Now you can see the code, don’t change anything on that code.
  3. Just scroll down and enter the following code to stop access to the files.

# Disable index view

Options -Indexes

# Hide a Specific file

<Files .env>
Order allow, deny
Deny from all

This code helps to stop access 

How to hide a file?

After completing the process:

  1. Select the .env file and choose Edit.
  2. Then tick hides the file option and saves changes.
  3. This will hide the file from the public view.

Common risk

Let me tell you what are the common risk which can attack your Websites due to easy accessibility:

SQL Injection

This will twist/change the login algorithms and destroy data.

An SQL injection is the most common web application vulnerability. The SQL injection happens when the attackers try to exploit access to get sensitive data from the website. The hackers try to inject some malicious SQL commands into the SQL statements. This helps the attackers to control the whole Database server.

The only way to get sensitive information from the database is by attacking the Login page.

Common Query

Check if this command is true at the SQL statement.

Select * from Users where username = 'UserName' and Password = 'Password';

It is a common query and you need not be worried. The user of this database is using the correct username and the password to get into the site.

Injected Query

select * from users where username= 'username' or '1=1';

This will allow the attackers to enter into the Database easily when the above command is true.

The above steps will help you in learning the common SQL injection.

Now let me tell you the prevention from this SQL Injection.

$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’); $stmt->execute(array(‘value’ => $parameter));

So this is an easy way to escape from SQL inject.

Denial of Service Attacks

This will stop the user from entering into their resources.

Cross-site Scripting XSS

This injects code into the web pages viewed by the clients and other users.

A Cross-Site Scripting is done by injecting a malicious URL into the browser to destroy the security of the Web application.

Now let me give you an explanation about how this injection is happening and then let us move with the prevention of your website from this injection.

How it is injected?

The attackers use the image tag with a blank source in order to inject the XSS injection into the website. Cause the script tag will not show up when your site is attacked. For example, if the hacker injects the URL and they can access some sensitive information from your Website. Pretty well then can get the Login Username and the Password without our knowledge.

How to prevent it?

Get the actual page's code and modify the code for not getting an error message while loading.

function Username(Hello) {
$result = $this->db->get-where('User_registartion',array('Username'=>Hello));
//Is there a row with username?
if ($result->num_rows>0)
//Let's return false for the validation and set a custom message for this function
$this->form_validation->set_message('Username', 'That username is already used.');
return FALSE;
//Everything is good, don't return an error.
return TRUE;

function Username()  – This function sends the message to the controller to checks for existing users on the website.

if ($result->num-rows>0) – If  num_rows ==1 then it will not allow to create a new user on the database.

Also, if there is an error message it will show that the certain username is not valid or it will not show up the list of existing usernames.

Cookie/Session Poisoning

Modifies cookies on the site to achieve unauthorized access.

Form Tampering

This changes the form of data.

Code Injection

This injects codes like PHP, Python, which installs backdoors and reveal sensitive information from the server.


Modifies the Website pages and redirects all the pages to a single page that contains the attacker's message.

The Symptoms of Hacking

If you doubt that your Laravel is being hacked, just check whether you have seen any of these following steps:

  1. The website seems very slow and often shows error messages.
  2. You receive “your account has been suspended” message.
  3. A new admin appears in the login database.
  4. The website will be blacklisted by the search engine.
  5. Website pages will be redirected to some malicious websites.
  6. The content on the website Gibberish due to hacking.

Tips to Improve your Website's protection

  1. Keep everything updated.
  2. Use a strong password for the Login page using characters, capital letters, punctuations, etc.,
  3. Install SSL (Security Stoke Layer) certificate for your Website. This helps in Google ranking and gain the reader's trust.
  4. Use Two-factor authentication for your email.
  5. Always have a backup copy of your site.

I hope this article will be useful to protect your Laravel from hackers /attackers. And I have given some more extract information about symptoms of hacking and the common threats used for hacking. Thanks for reading this article. If you have any doubts, leave that in the comment box below.

About The Author

Scroll to Top
Share to...