What should the webmaster do when his/her website is under exploitation? Remove files? You know, playing defense is only a temporary solution. Even if you just remove ill codes and files, they will just return and cause another phase of trouble. In fact, many websites are exploited over and over because webmasters play victims. Criminals never quit until they end up in jail. What, do you think they will all of a sudden quit exploiting websites and accept low-wage factory jobs?
One way of securing a website is to go after the one responsible for damage at your website. You might not know how the intruder entered your system or even who or when. But in many cases the victim should know who's sponsoring the exploitation operation. Go after the website and webmaster sponsoring the exploitation operation at your website. If you destroy sponsor's website, hopefully, the sponsor and exploiter will blame and fight each other. If you prefer to sit back and play defense, then there are several measures that you can. The following is a list.
1. Folder permissions Set the permissions of folders to 711. A lot of webmasters set them to 755. Even our web hosting company bothered to tell us to set them all to 755 instead of 711 once. Even an experienced WordPress member (and administrator) will tell you to set them to 755. But they are totally wrong. If you set them to 755, any file inside the folder can be downloaded. That means an exploiter can download and analyze files to find vulnerabilities at your website. If you like, watch the following video for more information.
If you have PHP software installed, one of the important files that you need to protect is configure.php. This file is likely to contain important pieces of information such as database name, database username and database password. Giving up these pieces of information may lead the exploiter to access your FTP connection.
2. Spy comments If you have forums or blogs, be careful with spy comments. Spammers always try to register an account to establish a link so that they can use muti-thread software to post spam comments. For more information, you may want to read this article.
3. Patroling It's very important that you visit your own website at least once a day. It's often an unattended website that becomes a victim of hacking. Not checking e-mail messages once a day is also a bad practice because... See next.
4. Contact information Some people are afraid that showing e-mail addresses on the website will give them a lot of spam messages. But you really should leave at least one e-mail address there. We often try to give a kind notitication that their website is hacked. In some cases, they don't even leave contact e-mail addresses. And we can't contact them. If you don't want to receive spam messages, then you can just state your e-mail address like tombluewater(at symbol)mhvt dot com. You can also use a contact form. If you need Help Desk software, you may want to try out osTicket (osticket.com)'s free ticket system.
5. Casual ad at forums People always want to show off and advertise their websites, giving URLs, saying 'Preview my website' at forums. That's a really bad practice because many major forums are crawled by spam spiders. No B.S. That's really true. By stating the URL of your website, you are inviting spammers.
6. E-mail addresses Use different e-mail addresses depending on purposes. For example, you may want to use an account name like bill3 or payment5 for monetary transactions. If you differentiate e-mail addresses depending on purposes, you can possibly tell how they've acquired your e-mail address in time of security breach.
7. IFRAME injection Ah, yes. Be careful with iframe injections. It's a simple code insertion in a file. An inserted code should look like http://202.03.304.949/iframe/hello.php. 202.03.304.949 is an example of IP address for the forwarding destination. The file type can be html, php or anything. Unless an exploiter is lazy, you should find an insertion at the bottom of the script because you won't see it at a glance when you open it.
8. File transfer protocol FTP is not secure because data are not encrypted. Also, it's not secure because your account information will be sent to the FTP server without encryption. FTP is one of the sources where they steal your account information and access your control panel. For more information on which web hosting company offers which file transfer protocol, go to this page.
9. Admin accounts Another source of security breach is administrative accouts. If you simply set the username for an administrative account to 'admin,' then all they have to do is to guess the password. And if the password is very simple, they can use their program to guess it and penetrate your system. (1) Don't use admin as username for an administrative account. (2) Use special characters and Greek letters to make a passwork if possible. This page shows which website software supports special characters and Greek letters.
10. Anonymous FTP When you access your control panel after a signing a web hosting plan, one of the first things you should do is disabling the anonymous FTP function. Inability to disable the anonymous FTP function may give the exploiter access your files through FTP.
|
