Website security basics: Not just better passwords

Tagged:
You can follow any response to this post though the RSS feed

Too often we see website security discussed as an afterthought. The fact is, getting hacked or compromised is usually as a result of something simple. Outdated software, weak passwords, obvious usernames, incorrect permissions – they’re all easy fixes. Although your mileage may vary between each software package, we’ve found that you can mitigate a good majority of these attacks by implementing a few basic security measures on your website.

Security through obscurity

Often criticised as giving website owners a false sense of security, it’s hard to go past this one. A good percentage of website’s are hacked using a technique called “brute force”. This is simply persistence – trying a different username and password combination over and over again. The law of averages suggests that eventually, they will succeed. The likelihood significantly increases when you realise it’s not a person trying to guess, but a program or robot. These “bots” are capable of making multiple requests from different locations around the globe, fooling even the best firewall software.

So it’s not uncommon to see as many as 500-1,000 attempts per day on a website. The most common practice however is to guess the administrative URL. So if you use some very popular software, and the administrative login is the same for all websites using this software, then look out. There’s a good chance you’ll see a large volume of hacking attempts targeting this URL, whether it exists or not.

One effective technique to combat the volume of attempts is to alter the URL you use to login. There’s a couple of ways you can do this, and the complexity varies from one software package to another. Most software however provides a plugin, extension or configuration file to achieve this outcome. It’s highly recommended if you’re serious about thwarting the majority of attacks on your site.

Change your username

The default username for most CMS and shopping cart systems is usually quite similar. Administrator, admin, system etc. By giving hackers half the answer to accessing your system, you’re decreasing the time it takes to hack your website significantly. By changing the administrative username to something less conspicuous, you’ll go a long way to ensuring your credentials aren’t compromised anytime soon.

Implement a few basics

Some time ago, Perishable Press released a series of rules that can be applied to Apache-based websites. The goal was to prevent a wide variety of exploits and malicious activity. Then called the 5g Blacklist, it has recently been upgraded and is now known as the 6G Blacklist and can be found here. You’ll need access to your website’s file system, as these rules are generally placed within a file called .htaccess. This file is located in the root folder of your website. They will however give you a real edge when it comes to avoiding the many potential loopholes hackers try to target.

Protect sensitive resources with a better password

Sure, your CMS comes with a username and password, but sometimes a hacker doesn’t need this to gain access. It’s quite common in fact to compromise a site without knowing these details, through some other flaw or mechanism. So how do you stop them?

Simple – don’t always rely on your CMS. Apache provides a remarkably comprehensive level of defence for all but the most determined of intruders. While this technique won’t work with all websites, it’s a great way to stop hackers in their tracks. Simply password protect your administrative directories and sensitive data using a .htaccess and a .htpasswd file. Using this technique ensures the entire directory (and all subdirectory’s) contents are protected. A word of warning though, some systems (such as WordPress) won’t play nice as they require internal access to the administrative area even for general front-end tasks.

To implement this, you can use the built-in facility located in cPanel, or you can do it yourself manually. To do it manually, simply create a file in the folder you wish to protect named .htaccess and add the following text:

Then, you can create a .htpasswd file placing it in the location specified above. This will ensure your folder or resource is protected, without consuming too many resources on your server and bypassing all the potential failings of PHP and/or your application.

Tip: .htpasswd passwords can be generated here: http://www.4webhelp.net/us/password.php