How to keep your site safe

-> HobbyMan on June 20 2011
Any website no matter what type of software it's running on is vulnerable if certain elemental steps are not taken and carried through. A couple of high profiles websites have been attacked recently and in some cases a serious amount of data stolen. While some attacks are by sql injections and other back-end black magic into insecure code, it has also been revealed that something as simple as a weak password can allow blackhat hackers gain full access to your site and it's content.

In the geek world there is a certain snobbery about whether groups like "Anonymous" or "Lulzsec" are "black hats" or "skiddies". To the average web user they're hackers and this is the term I'm going to use.

So, with this in mind, I've put together a few simple steps to help ensure your site remains safe and out of the reach of hackers. Unless you are a fully fledged developer, there's nothing you can do about vulnerable code. In general these are quite rare, your site is more likely to be infiltrated because of human failings and not because of technology.

  • Upgrade
    By the very nature of the open source world code updates will be routinely released. While most may be for functional or cosmetic reasons, some will be for security purposes. Therefore, it is vital that you routinely check for new releases and keep your site current.

  • Don't modify core files
    There are several downsides to modifying core files. From a security standpoint, any modifications could cause problems with other seemingly unrelated parts of your site. It is strongly recommended that unless you absolutely know what you're doing and it is unavoidable that you refrain from doing it.
    Another reason is (and an important one, at that) is that it dramatically increases the complexity of updating your site. This is quite often the sole reason that site administrators do not update their sites which can leave potential loopholes for others to exploit. Coding exploits are published by many sites and besides being a warning to site owners, they also notify the hackers of these vulnerabilities.
    It also makes it much harder for support staff to help you sort out any faults or errors that can crop up.

  • Use a good Captcha
    Choose a good captcha for publicly accessible forms on your site. Don't leave it to chance, search online in tech blogs for reviews of the many captchas (some good, some very bad) that are out there.

  • Addons
    Only use addons on your site that were either approved by your site software creator or by a developer with a proven track record in secure code. All the security measures on your site can be nullified by one unsafe addon. As always, Google is your friend.

  • Administrator Rights
    Be very careful which sections you allow your administrators have access to. You may feel that they would be insulted if some had greater access than others. Most, if not all will understand if explained that every administrator only has access to the sections they need to carry out their role.

  • Passwords
    A strong password is a bit like a fire extinguisher. Some don't think about getting one until after they've had a fire. Make sure you choose a non dictionary password containing numbers and/or random characters. You should also change your password and that of your administrators on a regular basis and instruct them to use as strong a password as possible. You should never use the same password for different sites as once a hacker gains access to one of your sites, it's relatively easy for him/her to find and break into other sites that you own or run. To make it easier for you to manage multiple passwords, there are free encrypted password managers available like KeePass which in conjunction with the KeeFox addon for Firefox is a very effective way of securing your passwords.

  • Admin Area
    You can add another layer of protection for your administration section by using the protected folder facility in your Server Control Panel. It's available in cPanel and as far as I know is available in one form or another from most hosts.. So, even if an intruder gets hold of an administrators password, they will be unable to gain access to the administration area without the correct logins.

  • Database Backups
    This is not a security measure in itself but, if your site should get seriously damaged by an attack and you cannot be 100% certain you can remove the attackers changes, you may need to "rollback" the database to a previous backed up copy. Time and time again we hear of site owners asking for help in this situation and they are forced to admit that their backup is either weeks or months out of date or that they haven't ever done one! Regularly backing up your database makes all the difference between a simply restoring a recent copy or having to tediously search your database for malicious entries which depending on size could take a very long time and may not be fully successful.

    Suggested backup intervals;

    1. Membership > 100 - Once a month

    2. Membership > 500 - Once a fortnight

    3. Membership > 1000 - Once a week

    4. Membership < 1000 - Twice a week

    5. Membership < 5000 - Daily

  • Bots
    Bots or Spambots are a very annoying menace for site administrators. Most of them are benign in that that their sole goal is to post links somewhere on your site to increase page rankings for the bots controller clients. Using a good captcha will go a long way to keeping them out. There are also independent services available like Akismet which can help keep them out. You can, of course blacklist their IP address but, this is generally regarded as not being very satisfactory in keeping bots out due to the almost unlimited IP addresses they can avail of.

  • SEO Software
    There is software available for owners of "pay-sites" with little or no conscience which for a fee will automatically send out bots creating accounts and backlinks in thousands of sites. This software runs 24/7 and the people who use it don't care about the mayhem it causes for site owners, their only wish is to increase their page rankings in the hope of generating sales and their relentless pursuit of increased SEO. Hard as it is to understand but, software such as this is perfectly legal and there is very little defence against it.

Following these simple ideas will go a great way towards keeping your site safe and secure. There are no 100% guarantees but, the key is to make it as difficult as possible for hackers and bots to gain access.
In Security -  Print  

This news item has been tagged