Vigilance and care are needed to protect against website/application hacking.
You go to post a long-overdue update to your neglected website, and you notice that there are many new, strangely named files and directories in your ftp root. Or worse, you load your website and see the garbage below.
You are now a cog in the relentless global spam & malware machine. Your server is either infecting poorly protected Windows users, spamming them with ads for everything that’s missing in their lives, or just dutifully hosting media for the adult entertainment industry.
Some steps that will reduce the likelihood of this happening:
- UPDATE your WordPress/Drupal/Joomla installations, and THEIR PLUGINS REGULARLY. 99% of the attacks come through poorly patched CMS’s, particularly through plugins. Turn on auto-update if it isn’t on already.
- If you’re using a CMS like WordPress, install a well-respected, highly rated security plugin.
- Use an anti-spam plugin, if you allow commenting or feedback forms.
- Back your site up as frequently as you modify it. This includes the database and the files. There are many plugins for managing this automatically, as well as the tools built-in to your hosting provider’s control panel.
- Uninstall any plugins and themes not in use.
- Check that your directory security is set as restrictively as possible while still allowing the site to function properly.
- Use a two-factor authentication plugin for your administrative user access, and while you’re at it, enable it on your hosting provider’s control panel.
- On Apache, and if you have access, harden your .htaccess file with some choice mod_rewrite rules and directory security.
- Ensure you’re using a newer, updated and supported version of PHP.
- If you built the site yourself, or a contractor did on your behalf, ensure that it is protected from SQL-injection and XSS attacks.
Lastly, if you don’t have to store sensitive data in your database – think 1000’s of individual’s contact details, DON’T. Integrate with a 3rd party – in this case MailChimp or one of their competitors – rather than being responsible for sensitive data, and hosting it on a neglected server.
As always, if you’d like a hand in verifying that your website is as secure as possible, contact us.