Protecting your site against hackers

Categories Safety Tips Tags spamrestrictionsecurity

We consider it of the utmost importance that your website is kept safe and secure from hackers. Although we employ a range of measures to keep our web servers secure, individual customer accounts can still be exposed and maliciously hacked. The following strategies should be considered as precautions against hacker activity.

Note: This is not an exhaustive article on available protection methods, but will generally ensure a hacker free service. If you have been hacked before and you feel that your website or account is targeted by a hacker, then we recommend that you consider additional research when reviewing options to protect your information.

Keep your scripts up to date

This is an extremely important measure - make sure you keep abreast of the latest updates to any scripts you run, especially if they are popular and widely used (for example, Joomla, Mambo, Wordpress, Vbulletin, as well as any shopping carts, forum software, etc). Once a vulnerability is exploited it spreads like wildfire through the internet. Most scripts cannot auto-update themselves so you will have to do this manually. If you are using any third party software you will need to check the vendor’s website for the current version and download the upgrade package with instructions. Before upgrading your third party software, ensure you make a copy of your current web files and database. Some scripts may have an RSS feed or newsletter you can subscribe to if you want to be informed about the latest updates. This applies equally to any third party modules and plugins you may use.

Remove the install folder/script

Often when installing a script, the script will leave behind a configuration or installation script. Most of the time you will be instructed to delete that script once you are finished installing your software. We advise you do this, as otherwise someone else can simply run the script again and gain access to your installation.

Obfuscate your admin area

Hackers will scan and probe directories, using automated scripts, looking for tell-tale files like login.php, adminlogin.php, and so forth. If possible, rename that file to something nonsensical (mypetdogrover.php for example). By doing this, you are denying the hackers another technique in their arsenal.

Use appropriate file permissions

File Permissions are used by the server to determine who can read, write or execute a file or folder. Most FTP programs can set file permissions (try right clicking the file/folder and then clicking file permissions or properties).

Maintain strong passwords

Make sure you use strong passwords (at least 12 characters, with symbols and numbers where possible). This mitigates the possibility of a brute force and dictionary attack. Use different and unique passwords for your MyAccount, cPanel, MySQL databases and email accounts. If you need some secure passwords, try the random password generator here. It's also good practice to change your passwords every month to maintain the security of your accounts.

Keep your own PC up to date and virus free

Make sure you regularly check for Windows updates and always leave your firewall on (either the Windows firewall or ZoneAlarm should do). Also, make sure you are running an up-to-date virus scanner and that you use it to scan for Spyware periodically. If your computer does get infected, hackers can potentially install a keylogger on your PC. Keyloggers record everything you type and send it back to the hacker, thereby compromising all your secure accounts.

Don't log into your account at internet cafes or via unsecured WiFi

It goes without saying that you don't know what is on the internet cafe PC, and therefore shouldn't trust it. Even if the internet cafe owner is legitimate, someone may have installed a hardware dongle keylogger on the keyboard itself, capturing all your passwords and login details. Similarly, if you use a WiFi point, someone might be 'listening in' and intercepting your details.

Containment principle

Our servers are set up in a way that contains any damage or hacking activity to just the one user account. Therefore, if you make any mistakes as listed above and you are exploited, only your user account will be affected. If you are affected however, the best and quickest way to recover is to restore from backup.

Restoring from a backup

If your account is compromised, restoring from your last known good backup is preferred. Using this method you can be sure that none of your files have been tampered or modified. Although we keep our own backups of your websites, we urge all our customers to periodically make their own backup. Once your account is restored, you can then use the tips above to prevent it being compromised again.

Developing applications

If you are developing an application, or are customising a ready made script, you need to be aware of these two types of attack vectors: SQL Injections and Cross Site Scripting (XSS). These attack vectors are well beyond the scope of this article but they are important enough that you should educate yourself about them.

Glossary

  • Brute force attack: A hacking technique whereby someone attempts to guess your password by trying hundreds or thousands of various combinations.
  • Dictionary attack: A variation on Brute Force; the attacker instead uses a set of common dictionary words to guess your password.
  • Firewall: A collection of security measures designed to prevent unauthorised access to your files. Firewalls can be hardware devices or software that resides on your PC.
  • Script: A file written in some sort of programming language that, upon execution, runs a series of commands. Examples of complex scripts include shopping carts, forums, blogs, or content management systems

Rate this article