How to Protect your website from Hacking?

 

How to Protect a Website from Hacking:

 

Accept Responsibility: This is first step, do you know that its your website and your are responsible for its security. If its being used for fraud, you are responsible for it?

Nobody is ever supposed to be able to add, delete, or change files in your website without your permission.

Most websites don't get hacked. If yours did, there is something wrong with it, or with the or with the security on your PC.

You have to figure out how this happened so you can prevent it from happening again

The way the internet works means that nothing can ever be entirely invisible if it's also to be publicly accessible, and anything that's publicly accessible can never be truly secure without serious investment, but there's still plenty you can do. The first step is accept that you

 

Keep Changing the Password on Monthly Basis: Always use passwords longer than 10 digits (alpha-numeric). If a 10 or 12 digit password is too long for you to remember, jot it down somewhere or better save it in a file and secure it with an easy password that you can remember. Keep changing it.

 

Keep your PC Clean: One of the top causes of website hacking is the webmaster's personal computer being infected by malware that steals FTP login information and sends it to remote computers which then inject the victim website's pages with JavaScript or hidden i-frames pointing to malicious websites such as gumblar.cn, martuz.cn, and a growing list of others. As long as the webmaster's PC is infected, changing the password is no use. The new one gets stolen, too.

Make sure everyone who has password access or upload files on the server using his PC, or logs in the hosting panel of the website does at least one, and preferably two, antivirus and anti-spyware scans on their local computers, using two different scanners.

 

Choose third party scripts carefully: Don't load your website with every cool script, gadget, feature, function, and code snippet you can find on the web. Any one of them could let a hacker into your site. Before you use something new, read its vulnerability report and do a web search on it to see if people talk about it as a security hazard.

 

Keep third party scripts up to date: Once you have installed a script such as WordPress, SMF, Coppermine, phpBB, or any others, find a way to make sure you are notified quickly when security updates are released. Get on a mailing list, subscribe to an RSS feed, subscribe to a forum board, create a Google Alert, whatever you need to do. When a security update is released, install it within 1 day, if possible.  This applies to the commercial and free scripts like WP and Joomla etc. If you're running say wordpress it's a bad idea to be running older version. All new versions are updated for security.

 

Remove unnecessary files: As your website changes, old files are ignored. They should be removed. Keep copies offline in case you wish to add them again, but remember to update any scripts. Old files are often indexed by search engines. So even if you do not link to those pages anymore, the search engines lists them for Internet users to find and visit. Automated programs to search for these files can find them to exploit them.

 

Include robots.txt: Create a file to tell search engines not to index files that are restricted to certain users. You can also disallow indexing of images, so people who search for images to use illegal do not steal your images. Remember that unless specified in the robots.txt file, all the documents on a particular site are indexed by the search engine spiders. Such documents are then available to the public via search engine queries. Some of the advanced queries like ext:doc or filetype:doc will search all the word doc files available on the servers. Similarly site:xyz.com private will search for all instances of private on xyz.com.

To protect yourself from such attacks you should take necessary precautions like avoiding any storage of critical or sensitive data on the server. If it is necessary, use robots.txt file to avoid indexing of such documents or folders. E.g. User-agent: * Disallow: /documents

 

Check Intruders: Whenever you login to Cpanel, check the last log in IP, its clearly mentioned there. It should be yours, if not the one you know, block it using Cpanel or ask us to do it. Your website access logs keep detailed records of who connects to your site by HTTP (normal visitors) and by FTP (file transfers such as when you publish pages).

 

Use security plugins of the free scripts like WP and Joomla.

 

Web Based Forms: (contact us, reviews and comments forms) are one way of injecting contents to your website. Ensure to validate all the inputs to your site. Any form of inputs like page headers, cookies, query string, hidden fields used on forms and forms fields used to gather some sort of input from the users should be validated.

Example:  Most web masters use web based forms / contact forms to gather user inputs. You need to validate such inputs against expected input types and length.  Any input to the web forms should always be HTML encrypted to avoid any unwanted script elements.

Keep the contact us form, the comments forms captcha based.

Make it your habit to protect your administration panel with .htaccess (if you're using a Linux web hosting service). For example, if you use WordPress, protect your '/wp-admin' area by configuring .htaccess.

 

Directory listing will allow anyone to see the contents of directory by typing in the website address and existing folder name. If you type http://domainname.com/somefoldername/, and you see the contents of the directory, you should immediately disable it unless you are very sure of what you are doing.

 

Check some advanced tips and tutorials on my site to get some idea what could they do and how to fix. Don't just repair the damaged files and hope this experience doesn't happen again. That is not enough.

 

Use latest visitors log to get to know of intruders in your Cpanel to get to know who went to various locations on your website and has spend how much time there. You can than block it your self using hosting panel or ask us to do it.

Send us hacking reports,  Tell us what has happened. Give us as much detail as you can about the evidence that the site is compromised.   If you have some idea when it happened, or when you first noticed it, tell us.  If you found an unknown IP address in cPanel, report it. •  Give us your secondary email address that is not at your website so your host can still contact you if your site goes down or if the hacker is reading or deleting your website email.

Remember some of the biggest most secure networks have been hacked and continue to get hacked, including our government network. The best thing to do is make sure to protect the places hackers come in. The URL and Form fields. Have a back up and be able to restore it as soon as hacking is detected, that's way you frustrate the hacker who spends time and effort for hacking.

 

By WebSouls Team!

 

  • 8 Users Found This Useful
Was this answer helpful?

Related Articles

What is Hacking

Hacker is a term used by some to mean a clever programmer and by others, especially those in...

How can we find IP where a hacking activity performed through cpanel ?

Site security nowadays is a great challenge. It’s a good idea to keep track of your cpanel access...

Hacking Types

There are lot of types of hacking,Main two types are: 1.ethical hacking2.illegal hacking for...

Reported Attack Page solution

Google introduced Safe browsing times ago which is an extension of Firefox and keep the Firfox...

What I do if my Website hacked ?

There are lots of different types of website hacks.  Hacks can be malicious (such as installing a...