Protecting websites from hackers – 9 pillars of wisdom

Sheild yourself from the hacker's toolsIt’s the most awful feeling in the world (I imagine). It’s a new morning, and you settle down at your desk with your favourite drink, fire up your web browser, and before long you have a sinking feeling… Your website – or worse – your clients’ websites have been hacked, and since the wee small hours have been peddling poker, spam, porn and god knows what else to the world via your IP address.

The work involved in recovering the sites, the confidence your customers lose in you and the loss of business really aren’t worth risking, are they? Yet countless millions of websites are run in environments that make it easy for hackers to get a foothold.

In this article, we’re going to look at some of the things you should be doing as a website owner to mitigate as far as is practicable, the risks posed by the hacking community, and avoid being hacked!

1. Take regular backups off-site

Even if your hosting company offers offsite backups – it makes good sense to also take your own backups directly from your hosting account on a regular basis. Keep weekly backups for at least a couple of months, as this can help you recover things, if corruption or malicious activity doesn’t become apparent immediately (imagine if one of your older blog articles was hacked – you might not notice for weeks or longer!)

2. Don’t leave old files lying around!

As a systems admin, I have seen some unholy collections of disused code lying around in some accounts. It’s one of the most easy exploits for hackers. They find an old configuration file – maybe one that’s been renamed from config.php to config.php.old, and hey presto! You just gave them plain text access to your website’s database login details.

If you are in the habit of using your hosting account as a development platform, then be careful to remove your dust and debris before someone else starts picking through it for clues.

3. Make sure that software is up to date

I will assume for the moment that whoever built your website is a proficient coder and has taken reasonable steps to secure your website against simple hacking techniques. However, if your website was written years ago, and you haven’t enquired about having your website reviewed since, then it is worth doing to make sure that any obvious security holes get fixed.

If your website uses off-the-shelf code, either from an open-source project (e.g. WordPress, Drupal, Joomla etc.) or from a private company (e.g. vBulletin, CubeCart) – then you MUST make sure that you keep it up to date. It’s the oldest advice in the book. Imagine running the original version of Windows XP and never installing any of those tasty updates from Seattle – your PC would probably have given all of your money to the Russians, and slept with your sister by now. I digress.

The point I’m making here, is that for every updates for web software relating to bug fixes and enhancements, there are at least 5 for security patches. If you don’t keep software packages up to date, then sooner or later you WILL fall foul of the script kiddies or more dedicated hackers.

The Fantastico Factor – So many hosting companies tout Fantastico as though it’s some kind of panacea for people who don’t want to get their hands dirty. If you are thinking that the content management website you set up so quickly using Fantastico is going to weather the storm, thank again! Fantastico is a novel way of looking at how something works for the first time, for fun – but don’t think for a moment that it’s a sound basis for a busy production website. If you doubt me, just google for “Fantastico Security”.

4. Don’t use weak passwords anywhere!

Again, a bit obvious, but don’t use short, or common passwords, especially on your main hosting account. And don’t use the same password for all of your website logins, particularly those that you manage! If you have trouble remembering passwords, then install something like 1password (Mac) or KeyPass (Windows).

Email security – Many people completely overlook their email. How many times have you been emailed a new password, and then deleted the email. If you use an online email account (gmail, hotmail etc), then these deleted emails might sit in your trash for some time. How strong is the password that logs you into hotmail, or gmail? If someone can crack that, then they have a way in to your systems. Always – ALWAYS think carefully about where passwords are left. If you use a laptop, and download email from a POP3 mailbox, then always delete any sensitive emails, and make sure they are deleted! Run a utility to occasionally wipe the free space on your hard disk to make sure (such as BCWipe).

5. Add Apache HTTP Auth password protection to administration areas

Yes, we know that your blog, or content management system is already protected by a login screen. However, in many cases, you can also add an extra layer of security by applying password protection to the whole directory that contains your administration code. It’s free, and easy to implement, so do it! Plus, this will interact with any monitoring software on the server (see lower down).

6. Make sure you have the correct permissions set on files

A bit technical this one, but it amazes me how many people set permissions wrongly on their files. On Apache, there are two ways to run PHP – DSO and SuPHP. Without getting too bogged down in technicalities, running as DSO means that PHP scripts are accessed under the context of the Apache anonymous user account ‘nobody’. SuPHP is a more secure environment, but many web hosting companies don’t provide it, as it consumes at least 30% more CPU power – and that takes away their profits! Always use a hosting provider that supports SuPHP where possible.

Running DSO

This means that your PHP scripts need to have permissions set that allow ‘nobody’ (i.e. the Apache user)  to read the file (and even write to the file in some circumtances). Usually, accounts on servers set up to use DSO are sucj that new files will be owned by the account username, and belong to the ‘nobody’ group. In this case, your PHP files should be chmod 640, and your normal (non PHP) files should also be chmod 640.

Running SuPHP

SuPHP means that PHP scripts are run as the main account username. This is a far more secure way of doing things. In this case, Apache doesn’t need direct access to your PHP scripts at all. So, regardless of what you might be told by various installation instructions, you only need to set chmod 600 on your PHP scripts. This allows read/write access for your user account ONLY. All other files (html, txt, ico, css, js, etc) need only be chmod 644, allowing just read access to the Apache ‘nobody’ account.

7. Find web hosting with an application firewall, and good support!

If you want to cover even more bases, then make sure your website is hosted on a platform that is protected by an application firewall. An application firewall is different from a network firewall. A network firewall deals with traffic at the network level – i.e. TCP/IP, UDP, ICMP and so on. This is really dealing with what network connections are allowed in and out of your server. An application firewall works at a much higher level – inspecting the kinds of requests being made to your website. An application firewall can detect and mitigate many of the common techniques employed by website hackers, including XSS Cross Site Scripting, SQL Injection, Command Injection and hundreds of other more examples of bad behaviour.

In short, if your code is vulnerable to attack, or becomes the subject of a Zero Day exploit, then an application firewall may well save the day until you get things sorted out. It’s not a 100% guarantee, and it won’t protect you from a denial of service attack, but it’s an excellent safety net.

Again, running an application firewall is expensive, and invariably means that the website developer and the hosting company have to work together to ensure the firewall doesn’t block legitimate traffic. For this reason, most large hosting companies don’t bother with this luxury, or they run the firewall with so many disabled rules that it is as leaky as a tea-bag. However, a well configured application firewall is a very valuable tool in your protective shield!

8. FTP securely using SFTP

If your hosting provider allows it, set up an SSH keypair, and connect to your hosting account using SFTP instead of plain old FTP. This way, your user account credentials are not passed over the net in the clear. It’s unlikely that anyone will ever catch you out this way unless you spend time using public wireless networks. However, you can never be truly sure about who is between your computer and your web server, so use it if you can.

9. Robots.txt red herring – don’t do it

Some websites suggest adding areas that you don’t want search engines to index to your robots.txt file. This is completely misleading, and lacks any real value. Anybody can access your robots.txt file and find out all about the areas of your site that you want to keep hidden! In many ways, including a robots.txt file as a security measure is actually doing more harm than good!


2 Responses to “Protecting websites from hackers – 9 pillars of wisdom”