Website Security, Part 1 – Preventing A Hack
It’s a fact – hackers are out there, and they’re trying to get into your website by means that are growing increasingly harder to stop. For example, the recent “Gumblar” virus exploited vulnerabilities in popular software like Adobe’s ubiquitous Acrobat Reader and Flash Player. By finding weaknesses in these programs, as well as popular FTP clients like Dreamweaver, the hackers were able to inject malicious code in personal computers and servers alike.
The purpose? To inject hidden backlinks into websites, in order to affect search results for spamming purposes. Basically, infected computers and servers become “zombies,” spamming websites with hidden links to manipulate search results for queries like “generic Cialis.” This resulted in sites getting flagged by Google, through no fault of the webmasters.
The “Gumblar” attacks were quite sophisticated and widespread, and in fact are still going on – but you don’t have to become a victim. In the first of a three-part series on website security, we’ll look the best ways to protect your website from a hacker’s attack.
1. Keep Your OS and Applications Up To Date
Hackers work fast – so fast, in fact, that they can find vulnerabilities shortly after new versions of programs come out. That doesn’t mean that you need to give them a head start by using the “three-updates-ago” version of Firefox. The companies that make your OS, browser, antivirus, and spyware software work hard to fix vulnerabilities as they’re discovered. The least you can do is use them and give yourself a chance at keeping your site secure. Also, it’s never a bad idea to use a browser-based scanning tool like Secunia.
2. Use Strong, Unique Passwords
If the news of personal data being accidentally (or otherwise) leaked online teaches us nothing else, at least we know not to use “password” or “123456” as our password for everything. Make your passwords complicated and unique, and change them from time to time, and you’ll be less likely to be victimized online. Use Strong Password Generator to create a new one or test the strength of your existing one at Password Meter. Also, it’s best to use completely different usernames and passwords for every part of your site, including cPanel, FTP, and email.
3. Keep Your Web Applications Current
The makers of popular open-source CMS platforms like Joomla, Drupal, and WordPress are extremely conscious of the security concerns of their users, and thus regularly release updates, upgrades, and new versions of their programs. It’s always wise to have the latest version of any of these platforms, as they tend to have the fixes you need to keep your site secure. Watch for news of new versions, and when they come out, go get them and put them to work. And, if you’re lucky, some helpful soul will write articles pointing out the latest and greatest in security updates for WordPress.
4. Check Your File Permissions
It’s a common enough mistake – you’re working on the back end of your site, and in order to do something you want, you need to change the file permissions. When you finish, you’re so excited to see the latest changes you’ve made that you forget to change them back. That’s a big mistake – make sure that your file permissions are changed from the completely open “777” to the more restricted “755” (for folders) or “644” (for files). Some helpful info on file permissions can be found at Linux Forums.
5. Use suPHP For Added Security
Ensure your web host runs suPHP. Without suPHP, PHP scripts will run as the user “nobody,” meaning they have system level access. suPHP restricts PHP scripts to run as the actual user of the account. This means access is inherently limited – no explicit permission for a user means no access. With suPHP, scripts will not run with file permissions set as 777 nor 666 so ensure your scripts are set to 755 or 644. You can learn more about this handy module at the suPHP home page.
6. Try FTPS For Transfers
For real security during FTP, you might want to consider using FTPS, which means your site’s FTP processes are done using SSL, or Secure Socket Layer (now also called TLS, or Transport Layer Security). In this process, the entire FTP session is encrypted via your shared or dedicated SSL certificate.
Following the above steps can save you all sorts of future headaches, but no site is 100% secure. You’ll want to stay tuned for Part Two of our three-part series on website security, where we’ll examine how you can know for sure if your website is unwittingly doing some hacker’s bidding.
What tools do you use to keep your website secure?