Each day hundreds of websites on the Internet are hacked and
the owners of the websites are clueless as to why it happens. Hacked websites
is a terrible thing that causes a lot of stress and inconvenience.
It’s not just about repairing the damaged files and hoping
this experience doesn’t happen again. This is not enough. There are also other
steps that can be taken and in this article, we look at how you can take
proactive measures and prevent your website from being hacked.
So if we make the assumption that the probability of your
site being hacked is high. Let’s do a risk assessment of what steps can be
undertaken to reduce that risk, minimising as much damage as possible.
Local machine scan
for malware:
If you don’t have a decent virus/malware product installed
on your desktop. Make an informed purchase by discussing your specific needs
with various vendors. Ensure that it’s set to automatically scan your machine
each day. Ensure that at least each week it connects to the vendor’s site and
updates itself with new libraries of virus and malware definitions.
Rotate FTP passwords:
File Transfer Protocol (FTP) provides full access to your
files on the server. Like all passwords, you should not set these and forget
about them. They should be updated regularly. We recommend monthly if you
access your FTP regularly but if you access it less frequently it should be
okay. If you’ve never changed passwords, we suggest that you update it now!
Rotate Database passwords:
Your database password, is what allows your website to
access your database. It’s not as critical as rolling the admin password for
your application or FTP details, but it’s still an important part of a
well-managed password policy. We recommend bi-monthly password changes on this,
though you may want to look more or less depending on specific circumstances.
Remove access details
from developers after job completion:
Why would you leave full access to your site once work or
changes are completed? You should hand access details out strictly on a
required use basis.
Rotate console
passwords:
This is a very easy step. Simply reset your control panel
password.
Backup of web files
and databases:
Backing up doesn’t have to happen every day, but with a busy
site, weekly backups should be part of your strategy.
For websites that are static and changes very rarely,
monthly backups are more appropriate. No matter what schedule you decide to
follow, if bad things happen, you will at least have a copy of your site and
you can easily re-publish quickly, without the hassle and at no charge.
Review core site
scripts for available patches and updates.
– Review any
installed add-on modules for available patches.
– Review any
installed templates or themes for available patches.
– Review site logs,
scan for high traffic volumes from single IP.
Lets say your admin site is at the address,
http://www.test.com/ admin. In your raw server logs, if you see large numbers
of visitors to that page, especially from single IP addresses, then it is safe
to assume that people have or are trying to do bad things.
Review all file
permissions on the server:
Unix file permissions confuse even very technical people, so
we won’t try and explain them in the context of this guide.