The problem of server and website hacking has always caused much trouble for web hosts and their clients. While the former have strict security policies and a wide range of measures to take – server kernel customization, firewall rules implementation and many other system tweaks and tricks, the webmasters are in a worse position, since sometimes they lack some technical knowledge to implement security measures.
Of course, if a server is secured from hacking, it makes the user believe that his or her account is secured as well. It is not actually so. A setup of a hosting account means a provision of separate environment, where the user can setup the needed software, run desired scripts and apply required settings – all of those actions may decrease account security level.
Beside an “intelligent” hack, performed by a cyber-criminal with the help of such vulnerabilities, a hacker may simply steal your password or use brute force to pick it – though brute force protection is generally enabled on servers, no one says, one can’t use proxies to try to access the server from different IPs.
Below are some of the tips on how to avoid such issues:
Safe and Strong Password
When talking about passwords, we should definitely notice two key rules:
1) the password should be strong and
2) the password should be kept safe.
Once your provider creates an account for you, you receive an email with your account username and password. Though email transfer itself is secure, it is always advisable to change this password as soon as possible, since you are going to keep this email in your mailbox. No matter whether you use a password generator or make it up on your own – it should be of 8 symbols or longer and contain digits and uppercase/lowercase letters.
Special symbols are recommended for use as well, but you will need to make sure the password works fine. The same rule applies to creation of any other passes under your account – FTP and email accounts, databases, script administrative interfaces logins and so on.
As soon as you get something like P@S$w0Rd to access your account, make sure you do not save it anywhere except for a trusted password-keeping software or browser addon. Do not share your password with the others. If 3rd party assistance is needed – create a separate FTP-account to provide limited access, if control panel access is required, make sure you change the password as soon as the job is done. While contacting your hosting provider for support via a live chat, make sure they use SSL-certificate (so the data transmission protocol in use is https://), only then you can provide your account details safely.
Local Computer and Website Content Virus Check
Password safety seriously depends on the defense level of the computer, where it is stored on. Viruses, malicious codes and malware can steal the password from your browser or FTP-client. In order to avoid it, a user should always use antiviral software and keep it constantly updated. Additionally, use of firewall is also highly recommended.
Website content requires much care, too. Therefore, you should check it for viruses and malicious code (usually added to pages for download after hacking attempt or if the files are obtained elsewhere) to make sure that not only you, but also your site visitors are secured. If you are hosted on a Linux-based server – it is advisable to download the content and check it for viruses. Such procedure is required, since almost all viruses are designed to affect OS Windows, and Linux virus checkers are not always able to trace them. In case no viruses are found, you may not even upload it back.
Update Website Software and Scripts
Antiviral software you use is not the only one to update. You need to follow the updates, released by your software developers to grant maximal security level and avoid so-called zero-day attacks. Script vulnerabilities are considered one of the most frequent reasons of website hacks. Patches, addons, updated configuration files – all those should be downloaded and applied as soon as possible.
If one of your websites is not used by you anymore, but you do not remove it, the script you used there is still accessible from the web – you should either keep updating this script anyway or better password protect this directory by control panel means. This is going to protect you from intrusion, as far as hackers can gain access to the entire account once they brake through a single source.
Check The Permissions
Password protection is a very important measure, indeed. If you, however, want your webpage to be open to the public, though secure – you should keep the permissions in mind. This tip mostly concerns Linux hosts, since permissions on *nix can be modified manually. Permissions on Linux/Unix are set for User|Group|World and control Read|Write|Execute access level.
Recommended permissions for folders are 755, which means the user (owner) can read, write and execute, while the user group and the others can only read an execute. Permissions for files should be set to 644 – they let the owner read and write and provide both the group and the world with read-only access level. Some scripts may require permissions modification. Since it not always secure, you should consult with your host’s technical support team first.
Backup Your Account
Unfortunately, sometimes any security measures, no matter how strict they are, may fail. In those cases a backup is the last fail-safety hope. Though hosting providers create backups, it is always advisable to create and download them, too. The thing is that if you find that your web page has been hacked too late, it may appear that the system has backed-up the already hacked site. Thus, to make sure you are able to avoid all painful restorations, just schedule your control panel for weekly (or any other interval, depending on your website intensity) backup creation and download those backup files to your computer.
The Bottomline
Many users consider hacking a nightmare, which can be hardly escaped. This is actually not so, and the tips above are to prove it. Those ways of website and account security improvement are supposed to ensure you from many kinds of attacks. You should however understand that almost all the security measures above are to be taken constantly, but once you start taking them you will feel much more secure.
Related posts:
About SVhosting
I actually like your post. I found it really usefull. I have to visit your web site again some day.
Another not so obvious one is to escape any user input you may have on your site, that includes contact forms.
Hi Tequila, thank you.
Follow me on Twitter to find more useful articles and posts.
Hey, Jamies!
You are right, third-party users’ input should be minimized. However, if a contact form is essential for your business, there is sometimes hard to pick an alternative.
For instance, some website owners put a “mailto:” tag on their e-mail address, but not everyone has their mail clients configured, as a lot of people check their mail online.
Whats up ! Love your blog.
Good. I will be careful. whats up!
You did hard work on your site.
You missed on plugins to add security which can done if one is using wordpress platform. Else a very nice detailed post.