Tuesday, March 10, 2009

Deliver Your Web Site From Evil (Part 1)

1. Backup your website on the server.

If you have more than one important web site, put them on different web hosts. Don't rely on your web host for backups.

Find two different hosts which allow SSH access. Get an account with each. FTP the backup of one site to the other server directly, and vice versa. Download copies to your home computer as well.

2. Put a file called 'index.html' in every major or important directory in your website, if it doesn't already have one.

This stops people trying to peek at other files in the same directory.

3. Do not use old versions of FormMail. Do not use scripts that are newly released, unless you know how to check for security holes.

They should filter input like \# or >. Search on the terms 'Script Name bug' or 'Script Name security'.

4. Rename any email scripts you download before installing them.

Why give a spammer a clue as to what your script is, and what it can do?

5. Do not give files or directories obvious names, like 'pass', 'emails', 'orders' and the like.

Again, why make it easy for snoopers?

6. Do not leave unencrypted, confidential information on your server.

It's only a computer in a room God knows where, with God knows who having access to it.

7. Use a popular web host.

That cheapo one might be an un-committed reseller. Their Google PageRank gives a clue as to how popular they are. Send them an email or two. See how long it takes to get a reply. Check out their forums; how busy are they? They don't have a forum? Next!

8. If you are setting up .htaccess files or any other type of password protection, use long and varied passwords.

"Ch33s3And0n10n" is a lot more secure than "cheeseandonion", and just as memorable. Make your password at least 8 characters in length, containing both letters and numbers, and both upper and lower-case letters. Ordinary words can be guessed by brute-force cracking programs.

9. Strip scripts down to the bare essentials. Upgrade them regularly.

Programs like PHPNuke have lots of features in the default install. They allow webmasters and users a lot of control of website content. This creates vulnerabilities. A 'Nuke site of mine was hacked during Christmas 2005, by an Arabian group. Fortunately, I had a backup. I didn't have fast internet access, at the time, to upgrade it. I only needed one module working, so I removed the inessential ones, and changed file permissions on the admin section. At the time of writing, I'm waiting to see what happens next!

If you don't truly need it, turn it off.

10. Be careful what you say about other people or products on your site.

Not really security, but... people are very touchy about criticism. 'Flame wars' are a waste of time and energy, so avoid them.

0 comments:

Post a Comment