Web Security is not one time event. It’s not even an “extension” or “plugin” installed on your site. Security is an ongoing practice, one that requires your active attention. Preventing a site from being hacked is, not easy, but cleaning up a hacked site is harder.
Clearly the path of least resistance is prevention and not the cure.
How big of a problem is hacking really?
Here’s a fun fact, according to a recent statistic published in Forbes magazine, over 30,000 websites are hacked every day. That’s a lot of hacked websites. And often a hack is preventable, by proper patching, strong passwords and using proper security techniques. The vulnerability of a website should not be measured as a “IS vulnerable” or “IS NOT vulnerable”, rather it should be by how much and when.
A good saying, I learned from a BIOS engineer (Thanks Jason K!) once was that ‘Software ROTS’. In other words it doesn’t age gracefully, and is replaced; it rots away. In the world of websites, that ‘rot’ is accelerated and can have a much greater exposure than just a single BIOS in a single machine.
Administrators who maintain a sense of security situational awareness through, simple things like patching or updating can make the difference between getting hacked or staying safe.
Common reasons for attack
Often times when a site is hacked, the scripts, such as the CMS (Joomla®, WordPress®, Drupal, Magento, etc.) have not been properly maintained. This single failure, accounts for a significant portion of attacks.
Naturally, the goal of gaining access to a site is to place a backdoor or other malicious code on the site.
The code that is placed on servers is often used for a variety of purposes such as:
- Spam Bots – Turning your server into a mail-slave churning out millions of emails
- Attack Zombie – perhaps they wish to use your servers resources to attack another
- Backdoor – one of the more infamous backdoors (also known as SHELLZ) is the C99 script. A powerful utility designed to control your server resources and files without your knowledge.
- Trojan Horse – designed to attack visitors
- Keyloggers and much more
The goal of maintaining a healthy site is no different than locking up your house or your valuables. The idea is to prevent a miscreant from attacking your site.
You can remain vigilant against this threat by establishing a good security process and following it.
Another common reason for sites that are successfully attacked is weak passwords. Weak Passwords are passwords that are easy to guess, or are found in a dictionary of passwords. Since many CMS’s do not provide a protection against too many failed attempts on a user ID in a specific period of time, this is a perfect opportunity for a hacker to use a method known as brute force. Such an attack was launched, quite successfully, against thousands of WordPress® and Joomla!®sites in 2013 – allowing them to be compromised.
This technique involves the repeated method of attempting to login using a ‘dictionary’ of passwords. Or in other words, easily guessed passwords.
Having a strong password is a good deterrent against attacks. Having a policy of frequent changing of strong passwords, say every 30 days, is a better defense. By doing frequent password updates, you’re less likely to be a victim of this type of an attack. It is a good idea to cycle ALL your passwords, not just the admin password. This includes MySQL, e-mail, cPanel/WHM and of course your FTP servers.
In regards to a STRONG password, it typically is one that is difficult to guess, does not appear in a dictionary and is not the name of your favorite pet. It should contain a mix of upper and lower case characters and if you’re up for it non-alphabetic symbols such as [ #%*@+-()^& ]. This helps reduce the brute force aspects.
Bolt the door
Another best practice is to add a level of security to you administrative folders of your CMS. For Joomla! this would be the /administrator directory. Another example would be the /wp-admin folder. Using a simple .htaccess password method, and a unique (meaning different than your others) password will greatly reduce the chances of your administrator folder being compromised. Take a few minutes to search for .htaccess directory protection and you’ll find a wealth o resources to assist you.
All quiet on the Western Front
One of the most popular methods of attacking your site is through your desktop or notebook computers. Often desktops are left unpatched against many attacks such as Cross-Site Scripting attacks or other means.
Not maintaining your desktop allows the OS or applications to be hacked or other means such as weak passwords, insufficient firewall protection and more. In the case of a compromised PC joining a zombie army, it’s now part of a global cabal of bad-guys, using the hapless computer to launch assaults.
Further once compromised an attacker may install a ‘keylogger’ to monitor your site’s password. They can obtain your site credentials from this method and simply log on to your site to perform the attack.
The best practice here is to patch and run a reputable, commercial virus scanner on your desktops and set them to scan automatically at least weekly. And yes for you Mac fans’ you need a virus scanner as well!
Another type of vulnerability often seen in compromised sites is permissions are set wrong for a variety of reasons. Quite simply, the permissions of the files and folders are a basic and powerful guard against attacks. Permissions have 3 parts. The Group, User and World permissions, and if a site has a file or folder (or multiple files and folders) set for 777, this means, read, write and execute permissions for everyone who can access your website.
Fortunately at Rochen.com we have added a layer of security to our servers that detects permissions that are set incorrectly and we stop access public access to them. One tip – if you run a CMS such as Joomla! or WordPress, set your permissions on the folder that contains the password to 640 – this is another added layer of protection against attacks.
The best idea for assurance of the safety of your site is deterrence. That is preventing the bad guys from getting in, in the first place. Take some time to go review your site and make sure your CMS is up-to-date in the latest in its family. Consult your CMS Project Website for specifics. Take a few minutes to ensure your extensions are all up-to-date and if not – update them.
Here’s one source for keeping up with exploits that you may wish to bookmark:
There are other references in the footer of that site to other projects. If you find you have an extension, module, plugin or other script that is found on these lists, be sure and update them.
If you have been through a hack clean up, then you already realize the cost in time and money as well as the potential customer impact or loss it has. Establishing a Disaster Recovery plan is easy and quick. I’ll cover this in a future article in more detail. However for now, be sure you have a known-clean copy of your database and your files OFF of your server. Rochen offers a terrific product to help you with that, Rochen Vault, which is economical and easy to use. Deploying Rochen Vault can mean the difference between not having a clean backup and a quick and easy recovery. Learn more about Rochen Vault – by stopping by our website , chat with us or drop us a note at firstname.lastname@example.org to get started.
In closing, the very old adage, of an ounce of prevention is worth a pound of cure, holds true here. After you read this, please take some time and review your sites. You’ll likely be surprised that you have vulnerabilities and catching them before the damage is done is paramount.