We consider it of utmost importance that your website is kept safe
and secure from hackers. Although we employ a range of measures to keep
our web servers secure, individual customer accounts can still be
exposed and maliciously hacked. The following strategies should be
considered as precautions against hacker activity.
Keep your scripts up to date
This is an extremely important measure – make sure you keep abreast
of the latest updates to any scripts you run, especially if they are
popular and widely used (for example, Joomla, Mambo, WordPress,
Vbulletin, as well as any shopping carts, forum software, etc). Once a
vulnerability is exploited it spreads like wildfire through the
internet. Most scripts cannot auto-update themselves so you will have to
do this manually. If you are using any third party software you will
need to check the vendor’s website for the current version and download
the upgrade package with instructions. Before upgrading your third party
software, ensure you make a copy of your current web files and
database. Some scripts may have an RSS feed or newsletter you can
subscribe to if you want to be informed about the latest updates. This
applies equally to any third party modules and plugins you may use.
Remove the install folder/script
Often when installing a script, the script will leave behind a
configuration or installation script. Most of the time you will be
instructed to delete that script once you are finished installing your
software. We advise you do this, as otherwise someone else can simply
run the script again and gain access to your installation.
Obfuscate your admin area
Hackers will scan and probe directories, using automated scripts,
looking for tell-tale files like login.php, adminlogin.php, and so
forth. If possible, rename that file to something nonsensical
(mypetdogrover.php for example). By doing this, you are denying the
hackers another technique in their arsenal.
Use appropriate file permissions
File Permissions are
used by the server to determine who can read, write or execute a file
or folder. Most FTP programs can set file permissions (try right
clicking the file/folder and then clicking file permissions or
properties).
Maintain strong passwords
Make sure you use strong passwords (at least 12 characters, with
symbols and numbers where possible). This mitigates the possibility of a
brute force and dictionary attack. Use different and unique passwords
for your MyAccount, cPanel, MySQL databases and email accounts. If you
need some secure passwords, try the random password generator
here. It’s also good practice to change your passwords every month to maintain the security of your accounts.
Keep your own PC up to date and virus free
Make sure you regularly check for Windows updates and always leave
your firewall on (either the Windows firewall or ZoneAlarm should do).
Also, make sure you are running an up-to-date virus scanner and that you
use it to scan for Spyware periodically. If your computer does get
infected, hackers can potentially install a keylogger on your PC.
Keyloggers record everything you type and send it back to the hacker,
thereby compromising all your secure accounts.
Don’t log into your account at internet cafes or via unsecured wifi
It goes without saying that you don’t know what is on the internet
cafe PC, and therefore shouldn’t trust it. Even if the internet cafe
owner is legitimate, someone may have installed a hardware dongle
keylogger on the keyboard itself, capturing all your passwords and login
details. Similarly, if you use a Wifi point, someone might be
‘listening in’ and intercepting your details.
Containment principle
Our servers are set up in a way that contains any damage or hacking
activity to just the one user account. Therefore, if you make any
mistakes as listed above and you are exploited, only your user account
will be affected. If you are affected however, the best and quickest way
to recover is to restore from backup.
Restoring from a backup
If your account is compromised, restoring from your last known good
backup is preferred. Using this method you can be sure that none of your
files have been tampered or modified. Although we keep our own backups
of your websites, we urge all our customers to periodically make their
own backup. Once your account is restored, you can then use the tips
above to prevent it being compromised again.
Developing applications
If you are developing an application, or are customising a ready made
script, you need to be aware of these two types of attack vectors:
SQL Injections and
Cross Site Scripting (XSS).
These attack vectors are well beyond the scope of this article but they
are important enough that you should educate yourself about them.
No comments:
Post a Comment