No one likes to be inconvenienced by website security issues. It eats away at productivity, patience, and profit. In part one of this 2-part series, we’ll look at 5 common issues behind what can make your website susceptible to security attacks. In part two, we’ll look at negative effects of not maintaining a secure site, and how you can protect your site going forward.
1. Lack of communication:
It’s imperative for both website owners/admins and web designers/developers to understand the basics of what powers a websitewhich software packages are used to power a web property. If there areWebsite owners/admins must be aware of any Content Management Systems, bulletin boards, e-commerce packages, or ad server systems, these must be communicated between the two parties that are running in order for them to maintain them. Handing over basic information like this puts the onus of keeping all these pieces of software current, patched and updated on the owner/admin.
Without this basic information, owners/admins can be left clueless in regards to what is outdated, which can lead to costly security issues.
Helpful Hint: If your website is running a blog and that is powered by WordPress, you can check to see if your site is using a third party software called “timthumb”. This software is used for resizing images while being uploaded to your blog/website. To find out if you are running an outdated, vulnerable version of this software, simply install the timthumb vulnerability scanner, available via the WordPress site. Once installed, navigate to Tools-> Timthumb Scanner. A scan will ensue and highlight the fixes that are needed. All you need to do is click on the “Fix” buttons. This scanner checks for instances of timthumb that are older than version 2.0.
2. Lack of maintenance processes:
In many cases, website owners do not have a formal maintenance and review process of the sites they maintain. Here’s a list of maintenance procedures owners should follow religiously in order to stave off security attacks.
a. Change FTP and Access passwords every 60 days.
b. Scan the computers being used to upload files to the hosting account everyday, with multiple anti viruses.
c. Check for updates to software powering your website every 7 days.
d. Conduct a web-malware detection scan on your website everyday.
e. Check your SEO ranking to detect any fluctuations.
f. Check the reputation of your website on different blacklists to detect if your website is being used by spammers, phishers, or malware distributors.
g. Check your .htaccess files every 7 days.
Helpful hint: Get hold of Avira, Avast and ClamAV anti viruses. They all have free editions and you can set them up on your PC to do scans every night. This will prevent hackers from stealing your username and password to get administrative rights to your website and thereby inject malicious code on your site.
3. Vulnerabilities in website software:
Unsafe web apps often allow malicious hackers to break in and inject websites with malware. If you are running outdated versions of popular software, you are putting your website at risk. Sure, if you’re using well-known software like WordPress, Typo3, or vBulletin, the developers of those packages release patches and updates on a regular basis. But not everyone is so lucky. Vulnerability scans are effective ways to identify any issues, before any security problems arise.
Helpful Hint: Free tools such as XSSme and SQLinjectme help test whether your website has the most common web application vulnerabilities or not.
4. Vulnerabilities in server software:
Server software is computer software that powers the actual server (machine) that is hosting your website. On a shared server, your host takes care of securing the server for you, but on a VPS, Cloud instance, or Dedicated Server, some of the security measures will fall to you and its important that you are aware of server security practices.
A prime example of this is the FTP server that allows you to log in and update/upload webpages in your hosting account. Sometimes hosting companies will provide default packages as a convenience to their customers, such as mailman scripts. These help with setting up email related functionality- but can also cause security issues. A vulnerable FTP server can allow an attacker to break into a website, as can misconfigurations on part of the web host.
It’s essential to find out what default packages (if any) are installed on your hosting account, and if they are up to date. If you are not using these packages, remove them. If they cannot be removed make sure you understand who is in charge of keeping them up to date.
Helpful Hint: You can log into your hosting account and see if you have mailman scripts enabled or not. You can also find the version of your FTP server from your control panel. A good tutorial on using FTP from a windows machine can be found at http://www.textheavy.com/tutorials/winftp.html
5. Insecure website access:
Keeping weak, easy to guess passwords or using FTP for uploading website files are two primary causes of website compromise. Here are some basic steps you can follow to bolster security:
a. Avoid using FTP for uploading website related files to your hosting account. FTP connections can be sniffed by trojans/viruses installed on PCs while a website owner connects to his/her hosting account. Once these trojans/viruses detect a successful login via FTP, the account username, password and ftp location are sent out to a botnet network that proceeds to pump in malware into the hosting account. This process of infecting the hosting account via compromised FTP credentials is quite common, and somewhat hard to detect, since it seems as if a legitimate user has logged into the account and is uploading/modifying some files.
b. Do not store your FTP credentials in your FTP client. Instead of FTP consider using SFTP/SCP.
c. Use passwords that are 10 to 12 characters or more, with numbers, upper and lower case letters and special symbols.
d. Make sure that permissions for all files are set appropriately. A permission of 777 would provide a read, write and execute access to everyone, this is highly undesirable. try to set permissions to 644 for most files.
Helpful Hint: You can use WinSCP, and connect to your website and transfer/update files on your hosting account.
Join us for part 2, where we’ll discuss the negative consequences of not maintaining a secure site, and offer solutions to help protect you from security threats.
This blog post has been brought to you by StopTheHacker,
a leading provider of anti web-malware scanning technology that helps website owners detect and recover from malware attacks. Click here to learn more.