Anonymous

How to Keep Your Website Secure and Avoid Hacking

You may have heard in the news recently the Syracuse city police department, was among a list of agencies to have their website hacked. In fact, we had some of the iSchool’s finest weigh in on the situation already. As someone who has a lot of experience administering servers and building web applications (although I have no inside knowledge of what happened in those police department cases), I thought I’d contribute with some general tips and best practices for keeping your website secure.

For a lot of organizations, websites are these things we’re compelled to build for our customers, constituents, or fans. They need one because “everyone has one” especially their competitors.  In my experience, organizations with this mentality treat their website like cheesy infomercial appliances, and once the site “goes live” little to no resources are spent maintaining it.

Websites are like pets. They’re a long-term commitment. They need constant care and attention. And just like your pet, if you neglect your website bad things will happen. Organizations who to not dedicate resources to website maintenance are punching their one-way train ticket to Hackedville.

Dedicating boat-loads of resources to your website is no guarantee either, and I argue that no system can be made completely hacker-proof. Even the security experts get hacked. In 2011, a well-known security company which sells hacker-proof technology was hacked, forcing all the major web browsers to release updates to fix the gaffe. So, you ask “What’s a website owner to do?” My answer is two things: minimize the risk and be prepared for the worst.

#1 Minimize the risk

Do everything you can to reduce your chances of being hacked in the first place.  When I was a kid, my mom got her car stolen from the neighborhood grocery store parking lot. (That sort of thing happens when you leave the car running out front.)  My takeaway? Don’t make it easy for an attacker to break your website.  Make your site less tempting to hackers, and chances are they’ll go elsewhere. This seems like common sense, but many people don’t do this because it takes time and expertise. Here’s some of low-hanging fruit for you to pick:

  • Stay up to date: Even the simplest websites rely on software which was not authored by you.  Since software is created by people it is inherently flawed and contains errors or bugs. You should know the components your website relies on to operate, and keep tabs on the known issues, and releases of updates and patches. You can search known vulnerabilities in software here http://web.nvd.nist.gov/view/vuln/search  or here http://www.securityfocus.com/bid. Your best bet is to follow the security lists and announcements for the software you’re using to run your website, and always stay up to date on the latest stable versions.
  • Limit access to resources: Has this happened to you? In the morning, you place your lunch in the company refrigerator and when you come back for it at noon… *poof* it’s gone! Many people are shocked by this, but not me. The fundamental problem is a community refrigerator has no means to granulize access so only you take your own lunch. Fortunately, software doesn’t have this problem, and its common practice to harden, or lock down the access to only the resources that need access. The Web is chock-full of hardening guides, like this one if you’re running a Word Press site. You should try to harden your site all three levels: the operating system, the web server, and the web application itself.
  • Use strong passwords: You need a username and password to place files on your web server or to update content. Make sure you’re using not using the default password and chose a password which is difficult to guess. Microsoft provides a nice to tool to test the entropy of your password. If you’re logging in over an insecure protocol like HTTP or FTP then your password is sent “in the clear” making it easy to intercept, especially over public Wi-Fi networks. Yes, you look cool updating your blog from the coffee shop, but it’s become far too easy to get your passwords compromised in such places so avoid it where possible.

#2 Be prepared for the worst

Now that we’ve covered what you can do to reduce the chances of being backed, let’s talk about what your options are when it happens. First, take a bite of the reality sandwich, and come to grips with the fact that your site will eventually get hacked. In my 15+ years of administering and building websites, I’ve had a few of them hacked myself.  Your plan here is simple – be the first to know there’s a problem, and have a plan in place to get things back. If you knew ahead of time your laptop will get stolen someday, you’d be a fool to not install laptop tracking software like this guy did, right? Why not have a similar insurance policy for your website?

  • Monitor your site: You don’t want to find out that your site was defaced from a news outlet, your supervisor or worse yet your high school arch-nemesis (whom for some odd reason you’ve “friended” on Facebook.) You want to be the first to know about it. There are a lot of good tools for monitoring your site including some free ones like http://www.uptimerobot.com.  Be smart and use one.  To help with those really difficult cases where your site was hacked but does not appear hacked, use Google Safe browsing to detect the hidden malware on your page. (Use the following Url but replace the site you want to check after the ?site= parameter) http://www.google.com/safebrowsing/diagnostic?site=http://ischool.syr.edu
  • Backup your site: It goes without saying you should have routine backups of your site. The rule of thumb is everything required to get the site running exactly as it was at the time of the backup should be included. That usually means the files, content and the database. Backups should be stored off site or at least not on the same computer as your web server. Finally, a backup is only useful if you can restore your website. You should test your website restore process at least once a year and write up instructions in case someone else needs to do it.
  • When the hack comes: Get your site back on line quickly with your restore procedure. Examine the log files and attempt to find the source of the hack, and then patch or rebuild your system to prevent it from happening again in the future.  Be open with your users about what transpired, what you found, what you did about it and what if any data may have been compromised.

If you’d like me to dive deeper into a specific subject, please share your thoughts in the comments below.


  • Jenee Silkwood

    I googled “how to keep your web site secure” for a research assignment in my Dreamweaver class and ran across this. Actually, I think you’d ranked #1 for my search. Anyway – some great pointers here for someone learning the ropes. I wouldn’t of even thought to routinely restore a site as part of my precautionary steps to keeping my site safe. Thank you for your wisdom. 

    • Mafudge

       You’re welcome! I’m glad you found the article useful.

  • Pingback: How to Keep Your Websites Safe from Hackers and Rogue Malware | Enterprise Features()

  • Pingback: Avoid hackers | Info007cleanin()

  • so hackers can access the server only by knowing the password right? without knowing the pass can they modify the server files? if so how? cos only site owner or server admin can modify server files as far as i know. so keeping the pass supersafe will totally prevent out site getting compromised?

    • mafudge

      They can access servers in a variety of ways without knowing your username or password. The do this by taking advantage of bugs in the software we use. Once they gain access the typically have enough rights to manipulate files, etc…

      • what about a software to avoid this kind of hacking. how to prevent this?

  • Security is an on-going practice and not just install and you will just leave your website there. Your web host is not the one to blame if you are not taking your responsibility to work on minor maintenance at least by always keeping up-to-date version of your running website – just like Microsoft Windows Operating System, security patches are always released to keep your Windows PC up-to-date and stay secured.

    There are also 3rd party services which will scan and automatically remove malware on your website once you are affected. This service are definitely like hiring a security guard for your website.

  • sdg

    gsdgs

  • testname

    test

  • Daniel Mejia

    Question, how can I build a secured website with a very tiny budget of 500.00

  • yigal

    hi .i get hacked,i chenged my password, bout a securty that call sitlock, but i still see chenging on the links on the google serch ,like he chenging my land pages.how can i avoid him to get in ?thank you

  • Give us real information

    This thread told you absolutely nothing about how to make your site more secure. Backups and secure passwords, are you serious lol? C’mon that’s hardly a way to make your website more secure. Sure, great preventative measure but like the recent Facebook hack, they were piggybacked and you could have any password on Earth and the keylogger would of still cracked it.

  • lancish

    I want to have a website that is accessible only when the reader of my ebook clicks on a link in the ebook, so there would be no direct access to the site. I’m a newby, but I’m assuming I can put the site password in the link and when the user leaves the site he would carry a new changed password back with him for the next time he clicked on an ebook link. I sure would appreciate your comments. Thanks

  • The Cyber Police these days is very active, but what can you do if a hacker is not from the same country or ally nation?

  • Pingback: Why Finding the Right IT Service is Critical for Your Small Business? - SocialVani()

  • Pingback: How to make a website more secure()

  • Pingback: Is My Website Ready for Some Serious Hacks? • 1stwebdesigner()

  • Pingback: Is My Website Ready for Some Serious Hacks? – Web Designing Kerala India()

  • Pingback: Is My Website Ready for Some Serious Hacks? | Vips()

  • Pingback: Is My Website Ready for Some Serious Hacks?ChetsTech | ChetsTech()

  • Pingback: Is My Website Ready for Some Serious Hacks? | Dev Inform()

  • Pingback: How to make your Website secure? | Secure Chandigarh()