Secure Your Website From Hackers
Updated: January 14, 2013
You can go to great lengths in order to secure your website from being hacked, but by taking a few measures you will prevent almost all hacking attempts on your website from being successful. If you have already been hacked, the website needs to be properly cleaned in addition to taking the measures to prevent it from being hacked again.
Secure Your Computers
Many hacks come from hackers getting FTP access to websites from malware on computers that have been used to access the website via FTP. It is important to make sure that all the software on those computers is kept up to date. The way that malware generally gets on machines is through security vulnerabilities in software that is accessible through your web browser, including things like Adobe Reader and QuickTime. Google's Chrome web browser, starting with version 10, automatically checks for outdated versions of that type of software running on your computer. You can also use Mozilla's Plugin Checker to check the current status of that type of software. For Window's users the Secunia Personal Software Inspector will also check for outdated software. You should also run a good anti-virus program on those machines.
We would also recommend using a web browser that uses data from Google's Safe Browsing system, this will stop the web browser from accessing content on a website Google has detected malware on. Currently Mozilla's Firefox, Google's Chrome, and Apple's Safari access this data.
By limiting what IP addresses can access your website via FTP you can severely limit the ability the possibility that a hacker could use the FTP credentials if they were ever compromised. Support for this feature and configuration of the features varies between web hosts so you should contact your web host for more details on setting this up.
Outdated version of web software, like WordPress, Drupal, and Joomla, frequently contain security vulnerabilities that have been patched in subsequent versions. Keeping all the software running on a website updated, including add-ons, insures that these cannot be exploited by a hacker. If software is no longer being used it should be removed. The following links explain how to check if you are running the latest version of Drupal, Joomla, MediaWiki, OpenX, and WordPress. You can also use our tool for checking the versions of software running on a website or our web browser extension, Meta Generator Version Check, to receive warnings when certain outdated software is running on a website.
Unfortunately not all software with security vulnerabilities is fixed, so keeping software up to date will not always protect against known vulnerabilities if the software is no longer supported. For WordPress, you can use our plugin No Longer in Directory to find if you are using plugins that have been removed from the plugin directory and in some cases will also provide a details of security vulnerabilities. Drupal provides warning about vulnerable software through their update mechanism. For other software please check how they handle warning about these situations to protect yourself.
If you have custom written code on your website that accesses a SQL database the website is potentially vulnerable to a SQL injection hack. All input data needs to be properly sanitized to prevent SQL injections. The developer of the code should be able to tell you if this is done by the code or a developer familiar with developing web code should be able to review the code for this issue. This especially important if you have an ASP based website.
Use a Secure Web Host
There have been a number of major hacks that have been cause due negligence of a web host to properly secure their systems. Unfortunately there is no way for you to fully review their security. What can do is find out from them if they taking the basic precautions which hosting providers who have been hacked in the past have not taken:
Ask them if they store user's passwords in plaintext on their systems, they shouldn't. Ask them if they have access controls in place to prevent other users from accessing your website's files (no matter the files permissions), they should. Ask them if they keep the software on their servers updated, they should (you can also check if your current host is running current versions of important software yourself). Ask them what their policy is on updating outdated software.
We also are compiling a list of web hosting providers we have found to have security issues.
Don't Use Weak Passwords
In a still small number of instances hackers try to gain access to access to the backend of your website by attempting to log in with common passwords (things like password, admin, 123456, or abc123). This is referred to as a dictionary attack and you can prevent this by not using commons words or keyboard patterns as password.
While it won't stop your website from being hacked, if you have a make frequent backups it will make it easier to restore your website if it has been hacked. You need to make sure to backup both the files and any databases. If you store a backup that has never been on the server you can insure that you will have a completely clean copy of the website. It is also important that you test your backups to make sure they will work if you ever need to use them.
- concrete5 Upgrade
- Drupal Upgrade
- Joomla Upgrade
- Magento Upgrade
- MediaWiki Upgrade
- Moodle Upgrade
- Movable Type Upgrade
- OpenX Upgrade
- osCommerce Upgrade
- phpBB Upgrade
- PrestaShop Upgrade
- TYPO3 Upgrade
- WordPress Upgrade
- Zen Cart Upgrade