How To Keep Your Website Secure

March 18, 2010 by · 26 Comments
Filed under: How To Guides 

This is a belated follow on to my last blog post – How To Keep Your Computer Secure

This was supposed to be posted a couple of weeks ago, but it’s the start of lambing time so I’m fairly tied up with that at present, I have however found a spare hour this morning to write this blog post.

As a web host (amongst other things), we deal with hacked accounts on a daily basis, anyone that’s ever fallen victim to this knows how much of a pain it can be to get a website back to normal after it’s been infected. So here are a few steps you can use to help prevent the hackers getting access in the first place!

1. Keep Your Scripts Up To Date

This is the most common way for a hacker to gain access to your account, all it takes is one line of poorly written code and kablamo, the hacker can inject malicious code into your files.

That’s why it’s vital to keep everything up to date, script updates don’t just contain new features, but they also contain important security fixes.

Open source scripts such as Joomla, WordPress and OSCommerce are particularly vulnerable, as the code is, as the name suggests, open source, so the hackers have access to all of the code, making it very easy for them to go through to find anything that’s been badly written. Once a weakness is found, it spreads like wildfire across the message boards and leads to more infected websites.

So please, as soon as you see a new update available for any scripts you are using – download and install them, it’ll save you a lot of problems in the long run.

2. Remove Unused Scripts!

It seems obvious, but I know a lot of you don’t do it. (tut tut)

As I said before, all it takes is one line of badly written code for hackers to gain access to your account, so the more code you have uploaded, the more chance you have of being hacked.

It doesn’t matter if the code is uploaded to some obscure place, or to a site that is no longer online, if the code exists on your site the hackers will find it, so if you have any old scripts on your account that you are no longer using, delete them, leaving them on the account is asking for trouble.

3. Do You Really Need That Plugin?

As well as removing unused scripts, it would be a good idea to go through the scripts that you do use and get rid of anything on there that isn’t a fundamental part of your site.

Take WordPress plugins for example, if you have a WordPress blog, go into the admin area and click on “Plugins”, and I’d like to bet there are a lot of inactive plugins on there, why?

If you aren’t using a plugin, delete it from your webspace, all it’s doing is sitting there waiting for someone to find it so make sure you get rid of any un-used plugins and themes, don’t make it easy for them 🙂

4. Use SFTP

SFTP stands for Secure File Transfer Protocol and works in the same way as standard FTP, but with SFTP all commands and data are encrypted.

Here’s a graphical example of Pete the packet sniffer stealing your FTP password “sexybeast4321”:

Think of the damage Pete could do with your FTP password

As you can see, the password is sent in plan text, meaning Pete now has your password.

Now compare that to if you were using SFTP:

Pete was so angry at not getting any passwords that he ate the Dog :-(

You can see that the password is now encrypted, meaning Pete can’t get access to your details.

So, How Do You Use SFTP?

Most FTP clients now support SFTP, and it’s just a case of selecting SFTP as the protocol instead of standard FTP, here’s what it looks like in CuteFTP Pro:

It's easy as 1234, easy as do-reh-me, SFTP baby you and me

There are bazillions of FTP clients out there, so it’s impossible for me to show you how to set it up in every one of them, so if you just look in the help files for your FTP client and do a search for “SFTP” you should be able to find what you need, and as always, Google is your friend for things like this.

One final thing you’ll need to know if the SSH/SFTP port of your web server, to find this you can either contact your host, or if you are using a cPanel based account, log into your cPanel, click on “FTP Accounts” > “Configure FTP Client” and you’ll see the port listed on that page.

If you follow those 4 steps you should minimize the risk of your account being hacked, it wont turn your account into Alcatraz, but it will go a long way to securing it. Most of it is down to regular maintenance of your scripts, SFTP helps add an extra level of security but if you have insecure scripts on there, it’ll do no good.

There’s also the obvious things like changing your cPanel/FTP password at regular intervals, but I’m sure you all do that anyway 😉

Even after this, there’s still a chance of getting hacked, so what do you do if you get hacked?

Contact Your Host

It may be possible to restore your account from a backup, so contacting your host right away is a good course of action, if they can restore to a point before the hacking, it gives you time to go in and clean up the old scripts that allowed the hackers to gain access.

If there are no clean backups available, then unfortunately there’s nothing for it but to clean out the infected files manually. If you have a copy of your sites on your computer (which you really should have), you may find it quicker to delete the site on your web space and re-upload from the copy on your computer.

You should also take into account that when hackers do get access to your site, they won’t just infect the website they gained the access to, they’ll infect everything on your account. So even if you have 1 bad WordPress installation and 10 good, the 10 good will be infected as well.

So to minimize this you can get yourself a reseller account and run each domain on it’s own cPanel, meaning if a site does get hacked, you only have 1 site to clean up, not every site you’ll ever run. In general you’ll find reseller accounts are only a few dollars more than what you are currently paying so it’s well worth the upgrade, if only for the piece of mind it’ll bring you.

I think that covers everything, I hope I haven’t scared you too much 🙂

If you have any questions, or any other security measures that you use, please feel free to bombard the comments section.