How to prevent your website from being hacked
In the past year, I’ve had to come to the rescue and clean up several websites that were hacked and then used for spreading computer viruses to their unsuspecting visitors. Here are some tips that should help prevent that from happening to you.
So how does a website get hacked? Usually web servers have a pretty high level of security when they are managed by a professional hosting company. They take care of firewalls, software updates, constant patching of holes.
Web applications installed by the client are the most obvious target. But I was surprised to see that usually the bad guys look at something else. The server protection is often too hard to crack, so they try dealing with the weakest link in the chain, and that means they attack the personal computers of people who have legitimate access rights to the server.
If you have a big and busy website, then you have server admins, developers, designers, copywriters and all kinds of people, sometimes with a poor grasp of information security, who happen to have access privileges. If one of their computers gets compromised, the bad guy can steal their password and enter your website through the front door.
So the most important thing you can do to keep your website safe is to keep your own computer safe, and to request the same from anyone before giving them access rights!
Here are some measures that I take to keep my data safe and secure. These mostly apply to Windows systems, as that’s what I use, but you might find these tips useful on other platforms as well.
1. Limit your privileges
Modern operating systems may not have this problem, but I use the good old Windows XP. A default home setup gives you full administrative rights. You can install any software you want, and you can change any system setting you want. That’s convenient, right? Well, there’s a big problem with this. While you are logged in, any application you run has the same rights as you. It can install software, change system settings… As a result, if an application is infected with malware, it can really mess things up.
This is mostly a Windows issue. On a Linux PC or on a Mac, usually you have restricted rights unless you explicitly log in with a root account. Windows is much more permissive, even though more recent versions (Vista and Win7) seem to have better protection and to allow less things to happen behind your back.
In any case, you should take a look at your computer’s user account settings. Make sure you have at least two accounts: one password-protected account with full rights, and a limited account that you use as your everyday login. Only use the admin account when you actually need it (e.g. when installing new software or changing settings). You will quickly get used to that, and it will spare you from almost all the malware that’s out there on the Internet.
2. Update your OS
The above tip does not protect you from security holes in the OS itself. Therefore, you should always turn on automatic updates for your OS. It’s important to get security fixes as soon as they are released.
3. Use up-to-date security software
This seems like a no-brainer. It has been repeated over and over. You need a decent firewall and decent antivirus. Usually it’s the first security advice given to computer users, but I believe that #1 and #2 above are much more important. Still, a good firewall and antivirus software is indispensable (at least on Windows systems).
Note that “good” does not mean “expensive”. Again, on my Windows XP system, I use the built-in Windows Firewall, plus the Microsoft Security Essentials antivirus. Competitors will say that’s not enough and you need to get their super-duper expensive protection package, but the truth is that these two Microsoft products are pretty decent and they will keep you safe and secure.
4. Do not use Internet Explorer
Of course, if you are a web developer like me, you will need IE to preview your work, because it is still among the top browsers that your site’s visitors are going to use. But don’t use it as your day-to-day browser (you probably aren’t doing that anyway, but be warned, and warn your clients too). It is the #1 target for all kinds of malware, and security holes often get exploited before Microsoft can issue an update to fix them. Also, if you have to use IE for any purpose, tell it not to “remember” any of your passwords. They are not stored securely enough.
5. Disable your browser’s Java plugin unless you absolutely need it
Embedded Java applets on the Internet may be cool, but they are used rarely these days. The web has moved toward other technologies such as DOM scripting, Ajax, and Flash. Nevertheless, most web users have an installed and enabled Java plugin in their browser. If you are not visiting sites that use Java often, you can keep the Java plugin turned off most of the time, since it has been a source of nasty security holes and that might happen again. Here’s how to turn off Java in your browser.
6. Use a master password in your browser
Firefox, Opera, and other good browsers allow you to set up a “master password” to encrypt all your other passwords stored in the browser. Then, you will need to enter the master password any time you want to retrieve any of the other passwords. However, this feature is turned off by default. It is a very important feature! If you do not use it, any malicious software, and any “friend” with whom you share your computer and user account, will be able to see and steal your stored passwords.
7. Do not store your passwords in Chrome
Google Chrome is an awesome browser, but it does not have that “master password” feature. Google’s developers claim it’s not sufficient for protection and refuse to implement it. Technically, they are right – security measures taken at the application level can be circumvented, for example with a keylogger. However, I believe that’s not a valid reason to shun an extra level of security, even if it’s not bulletproof. A master password in the browser would make it harder to gain access to the user’s data, therefore giving the user more time to identify and remove any malware before it’s too late. So my advice to you is not to store your passwords in Chrome, or to use a different browser altogether.
8. Do not store your passwords in FileZilla
This one is especially important to web designers and developers, since websites are often updated via FTP, and FileZilla is a free, very good and very popular FTP client. But if you click “remember password” in FileZilla, your passwords will get stored in your user account folder as plain text! FileZilla’s developer blankly refuses to implement any encryption, because like the Google Chrome developers he thinks it would be insufficient, and he believes it’s the job of the OS to adequately protect the user’s home directory. Again, technically, he is right. But if such information security purists could get out of their perfect little imaginary world and see the real life, they would understand that we can’t really trust an OS; instead of a perfect OS, we have Windows, and we must deal with it the best we can.
9. Use SFTP where possible
Speaking of FTP, as a protocol it doesn’t provide any security either. It transmits the password as plain text, which means that it can be stolen by an eavesdropping machine along the way. For example, if your computer is clean, but another computer in your office is infected, it could spy on the network traffic and intercept your passwords if they are not encrypted. That’s why you should ask your hosting provider for a SFTP connection; most good web hosts offer it, and many FTP clients (such as the aforementioned FileZilla) support it.
10. Use HTTPS where possible
The same considerations apply for the HTTP protocol when you log in – it does not encrypt your password, and in theory that means that it can get stolen on the way to the server. To fix that, get an SSL certificate for your site (even the cheapest one would do, and these days they are getting cheap indeed); then make sure login forms send data over a secure connection (the form target URL must start with “https://”).
11. Use password protection software
I’ve already mentioned the caveats of storing your passwords in browsers and other applications; you could avoid that by using a dedicated password manager application. It will remember hour passwords for you, and typically it would also provide much better security than your OS, your browser or any other application that has the option to “remember” passwords. Personally, I use a tool called KeePass for the following reasons:
- It is a lightweight, portable application (only a couple of megabytes, installation is not necessary for running it)
- It uses very strong encryption
- It uses several techniques to defeat keyloggers
- It can generate secure passwords for you
- It lets you set expiration dates for your passwords, reminding you to change them
- It can be stored on an external drive (such as a USB flash key), meaning that your passwords are NOT physically stored anywhere on your computer
- It is a multi-platform tool, so you can use the same password database on different systems
12. Change passwords periodically
As I told you, I have had some experience with hacked websites, and like I mentioned, in most of these cases the password was stolen from a legitimate admin’s PC. However, sometimes it turned out that the attacks on the website were not carried out immediately after stealing the password, but days, weeks, or months after that. If you make it a habit to change your passwords often, then you just might stop the attack even if a password does get stolen.
These are all the things that I typically do to keep my computer secure and to preserve the safety of the websites that I develop and support. If you do your best to religiously follow at least some of these guidelines, you will help make the Internet a better and safer place.