How can I stop my website being hacked or compromised?
Posted by Helpdesk Admin on 18 August 2009 04:18 PM
On any web hosting system, customers are able to upload their own content. This can include anything from simple HTML files and images, to complex web applications containing components from a number of sources. Because we cannot control the security or quality of scripts & applications uploaded, the customer must naturally assume responsibility for anything they place on our servers.
Having your site hacked or otherwise compromised is not a trivial matter. At the very least it will result in your site being deactivated and archived, so it will be unavailable for a significant period of time. You will also have to expend time & cost in repairing and/or securing your website against repeat compromise. If your site stores personal information about your customers or members etc, there may be data protection implications and possible liability issues. If the compromise includes phishing or fraud perpetrated on others, then this may involve law enforcement agencies, evidence gathering, etc.
There are several broad categories of web application uploaded by customers:
* Simple websites that consist almost entirely of simple HTML files and/or images and do not interact with the user - these are often called brochureware or static websites.
* CMS or eCommerce sites based mainly on well known components or applications written by third parties. This includes sites that use open-source applications like WordPress, Joomla, osCommerce, zenCart, DotNetNuke, etc etc as well as commercially licensed applications. These applications often also include modules or plugins developed by others.
* Bespoke sites that are designed by or for the customer (perhaps in house, or by a contracted web developer). They may consist of entirely custom code, or may include components or modules written by others.
Many sites combine a number of approaches, a Joomla site may contain customized templates or modules, a mostly static site might use WordPress to implement a blog. In general, the more complex your website, the more susceptible it is to compromise, and the more time and effort must be expended on keeping it secure. However, any website can be the subject of attack or compromise in a number of ways:
Even the simplest websites can be compromised or hijacked if the FTP or other access details (such as hosting control panel) are compromised - this can happen (for example) if the designer's computer has been infected by malware that steals passwords & other sensitive information and is becoming increasingly common. The best defense against this is to ensure that you change your FTP password after every update to your site, and ensure that all computers you use are regularly scanned for viruses and other malware using at least two reputable packages. Ensure also that your FTP program does not store its passwords in Plain text, and always ensure your passwords are complex - a good password will contain uppercase & lowercase letters, numbers and including symbols such as !, *,#, $ etc.will help.
Sites based on open-source software (Joomla, osCommerce, etc) are the most commonly attacked. Because the source code for these sites is in the public domain, security holes and vulnerabilities in such applications are found on almost a weekly basis. If you use *any* third party software on your website, you should subscribe to security notification & announcement lists provided by the vendors and ensure that the software is upgraded immediately when new security releases are available. If you are not happy to do this yourself, you should ensure that you have a maintenance contract with a security professional or web designer that has knowledge of such matters. This applies not only to the main software you use (such as Joomla or WordPress) but also any third party plugins, modules etc including site templates.
Bespoke sites are also not immune from compromise. If you are using thrid party components such as file uploaders, media managers, guest books, HTML editors etc, you must likewise ensure thsat they are regularly checked and updated. Bespoke sites are becoming increasingly targeted by sophisticated automated analysis tools that probe for out-of-date or badly secured third party components, and that probe your site's scripts & forms to identify SQL injection points, file disclosures, XSS attacks, poor sanity checking on variables, insecure web-to-mail forms etc.
Cybercrime is big business and every compromised website or machine is worth money to the criminals. This means that they are expending massive resources on developing ever more sophisticated tools to probe & compromise your website in order to use it to relay spam, probe other machines, defraud other people, or become part of a army of compromised machines that can be used to attack large businesses or sometimes even whole countries.
The days of designing a site (or hiring somebody to do it for you) and then simply forgetting about it are long since gone. If you did not design your own site, then you need to ensure you have an active maintenance contract with a developer who is familiar with your application and is versed in security practices to ensure your site is regularly checked and updated. If you design and maintain your own site, then you should regularly audit your code and components for security weaknesses and best practice.
Vulnerabilities on Your Computer
Make sure the computers you use are free of spyware, malware, and virus infections. If the security of the computer you're using to update your website is compromised in any way, then this can be used as a route to compromising your website in turn. Usernames and passwords could be detected, as could FTP details for your web site.
A high quality anti-virus software and personal firewall are an absolute necessity and must be kept up to date. In addition, you must always keep your operating system and any other software you use, especially your web browser, up to date to protect you from security vulnerabilities.
As your hosting provider, we will make sure that the machines hosting your website are well maintained and kept up-to-date with current updates and security patches. We will also take all possible steps to ensure your website is isolated from all other sites that we host, so that one compromised site cannot affect another.
However, the bottom line is that you are responsible for the security of any applications or content uploaded to your website. This is not a responsibility you should take lightly.
The following article may also be useful: What happens if my website is hacked ?