Essential web site security measures
Most hosts today offer server-side security, which means that they protect the servers including the OS and services that run on it. However this doesn’t mean that they guarantee protection of either content or software on your hosting account. There are two main reasons for this:
- You possesses full login information to your account. This means that if a password is stolen from you the host stops being capable of protecting anything on your hosting account.
- You are free to install software such as CMS, Ecommerce systems, Blogs, Forums etc. This in turn means that if you put an application that has vulnerabilities your entire site will be in danger. Of course hosts could track all installations on the server, but for a shared server this would simply mean existence of a whole army of administrators monitoring the server 24x7x365 and no such thing as cheap web-hosting would be possible.
As you see the responsibility for keeping your site up-to-date with latest security measures lies mostly on you. But why so much mess about this security thing? Because there are lots of hackers constantly looking for ways to take advantage of someone else’s information. There is no miracle cure for protecting from everything, but there are definitely a few things you can do to ensure better website security. In this article we will tell you about basic web site security measures.
Using latest versions of applications and scripts
No software written by people is perfect as well as people themselves. This is especially true for the open source and free applications. This means that in most cases there is always a backdoor a hacker can use in an application to enter your account. However people who write programs aren’t that simple either. And this is why such things as updates exist. Most updates are intended to close the holes a hacker can use. Therefore it is crucial to update your applications as soon as new versions are available. Most applications such as Joomla and WordPress would even notify you about the new versions available. As for others – constantly keep track of official news for the applications you use and tend to update as soon as possible.
Using strong passwords
A password is the simplest effective security mechanism. But not any password can be regarded as effective. There is a set of rules that can increase the strength of your passwords.
First of all never use the same password everywhere. For example if you have single password for your e-mail accounts, hosting account, blog account and twitter accounts it isn’t that difficult by hacking your e-mail account to get into all your other accounts.
Never keep your password in an open form. This means that storing your password in a file named “hosting password” on your computer is not the brightest idea. In many cases it is easier to hack your computer than your server. Just an example of such case is a computer connected to the Internet with no firewall or antivirus installed.
Use password generators to create passwords. Avoid creating passwords with any meaning in them. The less logic there is in your password the harder it is to guess it. Use long passwords (about 7-8 characters) . Use numbers and letters as well as special characters. This will make you password extremely hard to both pick and guess.
Following these basic rules sets you far apart from an easy prey for hackers. Passwords created in such a manner are safe not only for hosting but even for your online banking accounts.
Cover your content
The next step in fortifying your account is masking folders and files of your hosting accounts. Most hosts have their web servers setup in such a way that if no index.* file is found inside the directory the server would simply show the list of folders and files existing in the requested location. This in turn can be used by hackers. Therefore it is extremely useful to place an empty index.html file into every directory inside you public_html folder. This way none of the content initially not intended for display will be available for such.
Another good step is to protect all directories that either have scripts you are using or configuration files containing any login information (such as database names, users and passwords). This can be done by password protecting these directories. Most control panels have special functions for this. This can also be done using the .htaccess file inside the directory you want protected. The described actions will add additional work to hacker who can even reconsider the decision to hack your account and would move on in search for an easier target. However this is not always the case.
What to do if you still got hacked
There is always a possibility of a hack. Raising the security level still doesn’t guarantee absolute protection. Therefore in order to be safe with your content make the backups of your site periodically so that in case of any problems you have the latest version of your site that can be uploaded to the server again.
If your site still does get hacked the first thing you would need to do is change all your passwords to everything in your hosting account. This includes the master control panel password, all your email accounts, databases, FTP accounts, administrative logins to installed software and so on. Then check all your software for the latest versions and update it. Outdated applications are the most common reason of hacks. If you have any scripts running on the server check with securityfocus.org for the latest known vulnerabilities in programming languages and software. It is also vital to check your computer for viruses, trojans and spy-ware. In parallel to these actions you should also contact the hosting provider and check if there is any useful information in the logs of the server that can help localize the intrusion point.
Regardless of whether your site has ever been hacked or not, always keep in mind that such possibility exists. The better you are prepared for the unwelcome visitors the harder it will be for them to enter and the less damage they will cause.