Knowledgebase

Keeping your website secure is a major component of managing your online business. Failure to do so will certainly result in direct and indirect loss for you, your clients and possibly may others as well.

A serious security plan, maintained regularly will ensure that your website is a fast moving target, the best kind of protection you can get for Internet property. If you do not know how to action the recommendations below or do not have the resourcses to attend to these matters, engage a web profesional to take care of your site security for you. clickonIT Virtual Assistants can provide you with regular security and performance oriented housekeeping to help you manage your business website.

1. Ensure that ALL scripts and applications used in your account are up to date. Open source web applications are prime targets for malicious attack due to their wide use and eas of access to source code by hackers. Kept current and up to date most security holes can be kept plugged. Check www.secunia.com for the known exploits.

2. Check that all files in your account are official and compliant with your file audit. Any files or folders that are not officially part of your application are suspicious and can be planted by malicious applications at any level anywhere on your webspace. Use ftp or cPanel file manager to go through all files under public_html and compare them with the local copy that you maintain for this purpose.

3. Ensure all passwords are a mix of alpha-numeric, capital and lower case letters and special characters if your applications support them. Do not use any word that appears in any dictionary, names or real words reversed.

4. Change passwords often.

5. Do not use the same password for multiple access portals.

6. Configure seperate database users for all MySQL databases used for all web applications. Never use your main account username and password for database access. Never store your account username and password anywhere in your account space.

7. In the hosting control panel, raw log manager, activate archive option for your web logs. You can alsways recover an archived log shoudl you need to review how and when your scripts have been hacked.

8. If you have customized a web application with a mod, ensure it is the latest stable version. Addon mods may make your stable application exploitable. Mods that are no longer supported are a risk.

9. If you have written your own code, make sure all input variables are sanitized (check for valid data before running). A single line of bad code can give access to your entire account. A common error is to include a file based on user input. Make sure all input to a script is checked for valid data. All exploits are based on input data. If your site does not take any input, you are 100% safe from web exploits, e.g. 100% static HTML site with no script anywhere in your account.

10. If running PHP, any application that uses active register_globals has a greater chance of being exploitable. Avoid such applications.

11. If you run a mail script, ensure it is safe from header injection. In essence make sure that email address, subject and other part of data that is being submitted by user does not contain line breaks.

12. Just because your site has been running fine for years, it does not guarantee there are no security holes in it. It means that exploit on your site has not been found yet.

13. Remove all unused, redundant and obselete code, files, folders from your account space.

14. For increased security, change the permissions of your configuration files (having database credentials etc.) to 660. Test to ensure that your application supports this permission.

15. For increased security, if you can block access to certain administrative sections of your site by giving access to only authorized IP addresses and blocking access for everyone else, Or password protect it.

16. If there is any file upload facility in your account, make sure that only authorized members can use it.

Also the uploaded file should not be accessible via web URL directly (i.e. should be stored outside of public_html) unless

a) it is only uploaded by a site admin (responsible person)
b) checked and validated to be not exploitable

17. If you use URL forwarding or Webmail facility for your site membership, ensure it is not given without proper authorization. It could be used for spamming.

18. If you're testing or experimenting with applications or code and which only you need and you do not intend actively keep up to date, lock it behind a password.

19. You do not need any file or folder with world write permissions. The normal folder permissions should not exceed 755. PHP/HTML files can be 644 (or lower through ssh).

20. Prevent response to URLS containing a tilde character (~) on shared hosting severs. (see "Removing Google-Found Social Engineering Content article)