Anytime I hear a customer say, “I went online and read that your hosting servers are hacked” and I think a little misinformation on any subject matter can be very dangerous in the wrong hands, especially when found online. In actuality the percentage of websites, compared to total customer base, is less than 7%. There are several reasons website hacking happens and very rarely is it because a server itself is “hacked” or compromised. This post is about educating yourself and taking simple and easy steps to prevent and protect your website(s) from being compromised.
Benjamin Franklin said it best, “An ounce of prevention is worth a pound of cure.” Here is a list of action items and why:
1. Do your own site-backups regularly!
This doesn’t prevent your site from actually being compromised, but it does prevent that hack from causing massive damage. If you can simply re-upload your site pre-hack, with all of your current files, then you probably will not experience the downtime and annoyance associated with restoring a compromised site.
Of course, most hosting companies already perform courtesy site back-ups and provide free site-restoration if your site has indeed been “hacked” or compromised in any way. However, their back-ups may not include recent updates, and may also be a back-up of a compromised version of your site, so it is always safest to also have your own.
2. Change and strengthen your passwords.
You will want to scan all local machines that have access to upload to your sites for virus’. The reason for doing this is that your FTP account info can be compromised through something hackers practice called keylogging: http://en.wikipedia.org/wiki/Keystroke_logging If you do not currently have an anti-virus program I would suggest Avast. You can download it here: http://www.avast.com Also, keep in mind one software package doesn’t completely protect your computer. You also might want to look into: http://www.malwarebytes.org
Worried about keylogging? Even if you have chosen an extremely secure password, keylogging can track it. Here are some things that may prevent malicious keylogging efforts from impacting you:
- A good, updated anti-virus program will be able to detect many keyloggers and prevent them from collecting sensitive information
- Automatic form-filler programs can prevent some keylogging attempts by bypassing the use of your keyboard altogether. That being said, make sure your auto-fill program (whether you use a browser-based one or a separate “password safe” such as KeePass) is password protected.
- Use anti-keylogging software
- Enabling and properly configuring your firewall may prevent transmission of your passwords/sensitive material over the internet to those with malicious intent
After scanning your computer and taking care of any issues that are found you will want to change your FTP passwords. Please make them as secure as possible by using both letters (upper and lower case) and numbers (in non-sequential order). This is an early step in both preventing site hacks in the first place and keeping your restored site safe. Your FTP password should be changed immediately.
Some things to consider when choosing a password:
- Combine letters and numbers, lowercase and uppercase letters
- The longer your password is, the more difficult your password will be to “crack”
- Use a password generator
Check your password strength:
*You should also strongly consider changing your password for the control panel… …and yes people on Macs can have viruses on their computers. I am on a Mac and use iAntivirus. Another program friends on Macs have suggested and like ClamXav.
3. Make sure your software and scripts are up-to-date.
You should evaluate any code or script you put onto your website that you did not write yourself before uploading it to your site. Free scripts are sometimes made without security in mind. Free themes and templates can be coded in such a way that compromise the security of your site and make it an easy target for exploitation by hackers.
You will also want to make sure that you are using the latest versions of any 3rd party applications (eg – WordPress, Joomla, Drupal, OSCommerce, ZenCart, VBulletin, etc.) that you have installed. The script-provider will usually keep their latest version on the homepage of their website for download and easy upgrade. If you have an application installed that you are not using, please remove it or at least set permissions so that is it only accessible by owner and not by group or other.
The two things you want to when first installing any of 3rd party application; 1) As a good rule of thumb is never use the default database table prefix (eg – WordPress uses a default database table prefix of wp_ . This in not going to effect how the script writers intended the application to function. 2) Never use the default username “admin”. It gives the person(s) wanting to cause harm to your website(s) half of the answer to the puzzle to the backend of your website. When you are done with the installation create a new user other than admin that has administrator rights and delete the default user. It should also be common sense to follow the included documentation for specific security settings because some 3rd party software (eg- Joomla) require the installation folder to be removed/deleted.
If you are unsure about the code or script you are inserting into your site, it may be beneficial to only use high-quality (this often means paid-for) software, hiring a security-minded coder/developer or by using an automated method like Firewall Script.
4. Check site permissions.
No file or folder should have read, write and execute access for Other. The most common permissions are set up as read, write and execute for Owner and Read and execute for group and other. You may also not need the execute permission on files for other. Please make sure of this. To see permissions settings click the folder to the left of a folder name and on the right hand side it will come up with the permissions.
5. Protect your administration folder with .htaccess.
Cyber security agencies report that the statistics show the more security measures a website owner has in place the quicker the hacker will move on to a website that has less measures in place. They are looking for the low hanging fruit and anything that takes more than 15 minutes is time spent not making money elsewhere. By protecting your a 3rd party script administration folder you are putting a second lock on the door. All hosting providers have .htaccess protection wizards that you can use to protect the administrator folder or a specific folder of your choosing.
6. Perform a traffic inspection.
It is important that you analyze the kind of traffic you are receiving. If all of a sudden your site receives far more traffic than normal (and you havent implemented any marketing campaigns), check the incoming IPs: their location and their visiting frequency.
You should also check your own page rankings. If your site starts ranking for sex-terms, pharmaceuticals and gambling, your site has likely been compromised and you should contact us for further assistance.
7. Create FTP Allow/Deny Rules.
If all else fails you can create rules to prevent anybody from accessing your website(s) by limiting the IP address or Dynamic IP range that can connect via your hosting account’s FTP connection. The only caveat is that if you on your website(s) from multiple locations or have a webmaster at a different location is that the IP address or dynamic range does not match the rules it will not let you in. The good thing is it won’t let the people trying to attack your website(s) do any damage either. Click here to see how to create FTP Allow/Deny rules.
8. More Information.
Your best weapon against malware and hacking is information! Here are some links to get you started learning more:
If your website has been compromised and you have contacted your hosting company to investigate the issue and they have deemed your website(s) clean you can resubmit your website to Google for website reconsideration (if Google has flagged your site(s) by clicking on this link: http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=35843
If you are interested in finding the most comprehensive article on preventing and repairing a compromised website please feel free to check out this link: http://25yearsofprogramming.com/blog/20070705.htm
If you are interesting in learning more feel free to contact us to see how we can help your business.