One of the first things every website owner needs to understand is that on the internet is 100% proof against a clever and determined attack. There is a constant "arms race" between hackers and software developers, with each side trying to stay one step ahead of the other. So in many ways website security is a case of trying to make your site a less appealing target. Think of it as remembering to lock your doors and windows at home - a determined burglar might still be able to get in given the right tools and enough time, but like burglary, hacking is often opportunistic and driven by "easy targets".
So, what are some steps to remember to make a site a less appealing target?
Keep your software up to date
It's an inevitable fact of life that software code contains flaws which can be exploited maliciously. However, by ensuring that you are always using the most up-to-date version you are taking advantage of the continued vigilance of the software creators in terms of identifying and removing such issues.You can search known vulnerabilities in software here http://web.nvd.nist.gov/view/vuln/search or here http://www.securityfocus.com/bid. Your best bet is to follow the security lists and announcements for the software you’re using to run your website, and always stay up to date on the latest stable versions.
It's important to limit access to the back end of your site to a "need to know" group. You can actually create the site in such a way that access to processes is restricted. It's common practice to harden, or lock down, the access to only the resources that need access. The Web is chock-full of hardening guides, like this one if you’re running a WordPress site. You should try to harden your site all three levels: the operating system, the web server, and the web application itself.
Make your passwords strong
We all know how difficult it's becoming to remember the seemingly endless list of passwords we require to operate online. But it's important to remember that an insecure password is like leaving your front door open and your wallet on the table. Make sure you’re not using using the default password and chose a password which is difficult to guess. Microsoft provides a great to tool to test the entropy of your password. If you’re logging in over an insecure protocol like HTTP or FTP, then your password is sent “in the clear”, making it easy to intercept, especially over public Wi-Fi networks. Yes, it might be convenient to update your website from an airport lounge or from the coffee shop, but it’s become far too easy to get your passwords compromised in such places so avoid it where possible.
It's easy to assume that everything on the site is running smoothly, but how often do you check it? The very last thing you want to hear from a customer is that your site has been compromised - if something happens, it's best that you know about it first.
Your site could also have been exploited to host malware and viruses without looking like anything is wrong at all. Fortunately, there are a lot of good tools for monitoring your site, including some free ones, like http://www.uptimerobot.com, that make security management a breeze.To help with those really difficult cases where your site was hacked but does not appear hacked, use Google Safe browsing to detect the hidden malware on your page. (Use the following URL but replace the site you want to check after the ?site= parameter) http://www.google.com/safebrowsing/diagnostic?site=http://yourdomain.tld
Sometimes the best course of action if your site has been compromised is to adopt a "scorched earth" approach and re-upload a backup version that you know is clean. To make this viable, you need to make it a part of your regular maintainence program to create a backup version of the files, content and database.
If you find that your site has been compromised, the best course of action is to take down the current version, revert to a backup and then spend some time looking over the server logs to work out how the weakness was exploited. You can then make corrections to your software and site structure to prevent this happening again.
If you find your site has been attacked, you should consider taking the following steps:
- Reset your control panel password
- Contact your web developer and discuss the situation - they will check the logs to determine how the site was hacked and make changes as required