How do I minimise risk of Hacking

bsugar

Member
Hi All, :dizzy:

I just recently sorted out some web space for my website and from hearing many horror stories on how hackers maliciously take down or vandalize Web sites randomly for the purpose of having fun, paranoia has set in and I am concerned for my own Website. I know many of you members have personal or business Web sites out there, and what I would really like to learn is what are the necessary steps and methods that I personally can take to prevent my Web site from being intruded upon by hackers? All recommendations or suggestions are appreciated. :icon_confused:
 
I wouldn't worry about it too much. There are probably millions of sites out there that are a juicier target than your site.

But if you want to be safer, here's a few things I thought up off the top of my head.

Use a strong password for any login areas.
Don't install scripts, plugins or themes from unverified sources.
Ensure your CMS, PHP, etc is up to date (likely your hosting provider's responsibility too).
Host your site with a trusted and reliable source.
Ensure you have a back up of your files, database and anything else just in case something does happen.
 
I wouldn't worry about it too much. There are probably millions of sites out there that are a juicier target than your site.

But if you want to be safer, here's a few things I thought up off the top of my head.

Use a strong password for any login areas.
Don't install scripts, plugins or themes from unverified sources.
Ensure your CMS, PHP, etc is up to date (likely your hosting provider's responsibility too).
Host your site with a trusted and reliable source.
Ensure you have a back up of your files, database and anything else just in case something does happen.

That is all great advice. To add;

If you use a CMS then read up on 'hardening' it prior to launch
If you use cPanel then FFS disable the generic/root FTP account. We have been caught like that. In fact use SFTP if possible as most attacks actually come from a lack of FTP security knowledge.
 
Thanks Paul Murray and Corrosive,

I just want to start off taking proper pre-cautions. My hosting provider say they take all relevant precautions at their end but that I need to use strong passwords and protect my scripts. Stronger passwords are used on the site but I am sure a lot more can be done. Closing unused ports, setting up a custom error page, protecting the URL query string, ensuring I have back ups, and protecting the FTP account (as stated by Corrosive). I'm new to web design so all this advice is resembles another language to me. I only have a little css and html skills. Do I need to take on the services of a web developer and if so do you know of any?

Thanking you guys again :icon_hug:
 
Last edited:
Do I need to take on the services of a web developer and if so do you know of any?

Corrosive is one of the guys to speak to regarding web stuff around here. It's probably not a big concern though to be honest, the internet and web standards have improved dramatically since the early days of the net (probably driven by the internet now being used much more for business). Everything tends to be quite secure 'out of the box' nowadays.

One other tip. Any directory you have on your hosting account should have a file called index.html inside it. This prevents people being able to see a list of the files in that directory (which could be a security hole) as any file named index.html in a directory is opened automatically when that directory is accessed. Without the index file, Apache simply lists the contents as hyperlinks, like this: Index of /portfolioimgs

If you're using a CMS though, chances are this will be addressed already, but if you create your own directory, it's something to bare in mind.
 
The biggest single cause of site hackings is idiots setting a permission of 777 on directory which gives read, write and execute access to all users. This typically happens on upload or media directories.

Actually I just made that up about it being the biggest single cause but it wouldn't surprise me :)

In a nutshell it gives everyone else who has an account on the server permission to write to your files - if you are using a shared server then this can be a real possibility. In fact they don't even have to have an account but they can just exploit vulnerabilities of the ftp server, an SSH server, email server etc and then use that to write to your files. Once one site on a server is compromised then all the other sites with 777 permissions on their directories become immediately open to attack.
 
If you use cPanel then FFS disable the generic/root FTP account. We have been caught like that.

(dumb question coming up) - I use cPanel, any indication as to what the generic/root ftp is called?

Also, If I was to put a PHP file on my server which contained database access details - is there any precaution I should take/can somebody access it and retrieve the user/pass friom the script?

thanks
 
Last edited:
(dumb question coming up) - I use cPanel, any indication as to what the generic/root ftp is called?

Not a dumb question at all, in fact a sensible one! You can ask your hosting company if root FTP accounts are disabled but you'll also be able to tell if you can FTP into your site using your cPanel username and password. If you can do it then you'll be pretty sure someone else could and seeing as cPanel usernames are pretty standard you'll soon be open to Brute Force or Dictionary password attacks.

Also, If I was to put a PHP file on my server which contained database access details - is there any precaution I should take/can somebody access it and retrieve the user/pass friom the script?

The nice thing about PHP is that it is 'parsed' on your server and output as HTML before anyone has a chance to view it in a web browser. In the case of connection scripts it should output a blank page if found. This leads you back to FTP because, as you say, if the raw file is available on your server through FTP vulnerability then someone could easily get your database script.

There is some conventional wisdom that says your connection script shouldn't be in your public_html folder. It should still work fine if moved a level above and so not available to the public but available to your application.
 
Well I use wordpress for my sites and I have been hacked many times before. The way they usually get in is from multiple guesses at your password and Im talking millions of attempts. I now use a login Blocking tool which basically slows down each attempt so after a few hours they usually go to some other site who is easier to crack. Mines still bery crackable but they just move on.
 
encrypt your stuff.. make strong passwords with nubers and letters and dont EVER call the pass after your mums maiden name and your first dogs name !! Some one wil know it! Also use HTACESS .. its the best thing.. Mega good point here - if your using Linux Cpanel then set the htacess to 3 trys - if people get it wrong or you get it wrong then your secured and remember and turn on your damn firewall! unless of course you want months of grief! (im talking from experience man)
 
Back
Top