How to avoid going through the grief a hacker can cause.
We recently had a new client come to us with a website in very rough shape. He built the site himself, and although he was able to manage almost everything successfully, he had overlooked a few security issues that turned out to be devastating. He woke up one morning, and his website was hacked. A hacked website alone is a horrible thing to deal with, but what made this situation even worse was the fact that he had a shopping cart installed.
He came to us to see if we could help him reclaim his site and restore it to working order. We were able to do so, but it was a very long and tedious process.
I would recommend taking every possibly step to avoid something similar happening to you.
Now that I have you scared out of your wits, you can release the tense grip on your keyboard and mouse and I will offer some advice on how to avoid going through the grief that a hacker can cause.
Keep Everything Up To Date
I can't emphasize this point enough. Almost every website online today uses a combination of various scripts, web applications, and/or other third party pieces of software. The odds are that your website uses some sort of web application, quite possibly an open source one. I am a huge fan of the open source community, and I think it is one of the best things that has happened to the web. However, you always need to remember that open source code is available to people who have malicious intent.
This in itself isn't a bad thing, as long as you stay up to date with your current versions. If you have a WordPress blog, for example, make sure you are up to date with your installed version. A lot of the minor updates include security patches. These security patches fix vulnerabilities that can leave your website open to attack.
Use A Secure Host
The server on which your website is hosted also plays a crucial role in website security. Software for running web servers is constantly updated with security patches and improvements. Most of the larger web hosting companies keep their server security up to date.
However, if you are hosting with a smaller company or if someone is hosting your site for you on their own server, you really need to ask them what precautions they are taking in regards to security. If they don't keep their servers up to date, it is probably time to find a better host.
If your website is a crucial part of your business and you can afford the additional cost, you might also want to look into a VPS or PS to host your site with. If you are on shared hosting and somebody else has a security vulnerability, it is possible that a hacker can gain access to all sites on the server.
Use Secure Passwords
Allow I am writing this article on website security, this section should apply to all aspects of your online presence. You might think that your password is secure. You might think that no one can guess the combination of your dog's name and the date of your birthday, but you couldn't be more wrong.
A lot of hackers nowadays use brute force to crack passwords. It is a pretty straight forward method, as the name suggests. The hackers use programs to guess thousands of combinations of words, phrases, and numbers to try and guess your password. These programs can be surprisingly successful if your password contains standard phrases. So, how can you create a strong password?
Use a combination of upper and lower case letters, numbers, spaces and symbols if they allowed. There are plenty of tools online, like Strong Password Generator, to help you create a strong password. You should use a strong password for your cPanel account, your FTP accounts, your databases and anything else related to your website. Also, use a different password for each account!
Check Your File Permissions
Every type of server has some way of setting file permissions. The most common servers run Apache on Linux box. A Linux / Apache server will allow you to edit your file permissions through an FTP account or your cPanel, by chmodding. However, for a Windows IIS server, you will need to directly contact the host to take care of your file permissions.
Some web applications will require full file permissions (777 on Apache/Linux) when installing, and will require you to change them to something secure after installing. The most common permissions should be set to 755 for directories, and 644 for files.
Although I can recommend these standards for files and directories, every website and web application has different sets of file permissions required. That is why I strongly recommend reading up on what your website configuration needs for secure and functional file permissions. If you do your research but still don't know what you need for file permissions, you should really find someone to help you that does.
The intent of this article was not to scare you, but to simply try to make you more aware of website security. No one wants to deal with the headache caused by a hacker, so take the necessary steps in order to protect your website as best you can. If you have any questions, or would like me to elaborate on anything leave a comment below and I would be more than happy to help!
Ryan Cowles is a WordPress / Front End Developer living in Los Angeles, California. Along with a passion for building creative websites, he also enjoys photography, design, travel and the great outdoors. You can view his personal website by visiting http://ryanscowles.com. To see what he has been up to lately, check out his blog at Metacom Creative.