How to Secure your Website Part 1

Posted by Edward in Security, Trends on Jan 29th, 2010 | View Comments
If you like this article, please share it with your friends:
How to Secure your Website Part 1

I received the message below from Rackspace yesterday and it reflects the current state of the security of websites (both bespoke and open source) in general. Rackspace offer a concise and excellent overview as well as measures you can use to safeguard your websites. I thought I would share this as it’s essential reading …

Lately, the industry has seen an elevated level of attempts to take advantage of code vulnerabilities in the software powering websites. Hackers are a common and persistent threat to any website, but there are steps you can take to protect yourself and to make your websites and applications harder to exploit.

Please read over the important tips below. We have dedicated security experts who work to protect our infrastructure, but since we can’t fix or upgrade code on behalf of our customers, it’s important for you to know and regularly implement security best practices in the code you run. We need your help and involvement to ensure your own sites are as protected as possible. If you have any questions about security, please reply to this email and we’ll  be happy to help.

HERE’S WHAT OUR SECURITY TEAM HAS RECENTLY IDENTIFIED:

  1. The current data that we’ve collected points to application-based vulnerabilities being exploited. Hackers commonly scan sites for insecure applications, plugins, or other pieces of code and then work to take advantage of the software exploits they find.
  2. Applications using the popular blogging software WordPress appear to be mostly targeted, but WordPress isn’t the sole target of the malicious groups / persons.
  3. Your site does not have to be high-profile to be targeted. Hackers often scan random sites for signs of software known to be vulnerable (older versions of popular software with publicly known security holes, for example).

HERE’S WHAT YOU SHOULD DO NOW TO PROTECT YOUR SITES:

  1. This is probably the most important tip: For any application you use, be sure to maintain the most current stable version. Often, an application might be updated to a new minor version solely to address a security hole that’s been discovered. Be sure to subscribe to any news lists and feeds available for your applications to make sure you are aware of updated versions as soon as they are released.
  2. Many applications, like WordPress, have optional plugins developed by the community. Since these add-ons are often not as well vetted, it’s extremely important to carefully evaluate and manage third party application plugins, themes, or other functionality that is introduced to a running web application. Most hackers are exploiting these plug-ins.
  3. It’s imperative to choose strong passwords. Randomly generated strings of letters, numbers, and symbols are best. Avoid words and phrases in your passwords. The unfortunate reality: passwords that are easy to remember are also easy to guess. (Ex: Replacing the letter o by the number 0 is not a recommended tactic.)
  4. Change your passwords on a regular basis and change them immediately when you have any hunch that your site may have been attacked.
  5. Be as restrictive as possible with users and file permissions. Remove write permissions from files that aren’t likely to change frequently. Some programs have install files that should be deleted after installation. If you’ve installed something or written code for testing purposes or experimentation, it’s best to remove it afterwards. Only keep the files and code on your account that are active and necessary.

As a site owner, you need to take an active role in guaranteeing security of your code and applications. Recovering from a hack or exploit is extremely time-consuming and frustrating. The preventive steps outlined above can make a world of difference in keeping your sites secure.

Finally, if you suspect your site has already been compromised, you should take immediate action. This knowledge base article can help you through the right steps:

http://cloudsites.rackspacecloud.com/index.php/Recovering_from_and_Dealing_with_a_Site_Compromise

Sincerely,

The Rackspace Cloud Security Team

Related articles by Zemanta
Reblog this post [with Zemanta]
Delicious
Save

blog comments powered by Disqus

Subscription Options

Subscribe via RSS Subscribe via Email

Popular Posts

Tags

apple arctic Carbon footprint censorship climate change cloud computing co2 Design Domain Name System Dropbox Earth energy Facebook Flash flooding global warming Graphic Design Greenhouse gas health ice internet iPhone law LinkedIn Live Mesh marketing media Microsoft Peer-to-peer Philosophy Renewable security SEO Social media Social Network spam SugarSync tax transport twitter Web 2.0 Web design Web Hosting Website Wi-Fi

TwitterCounter

FeedBurner Stats

Powered by Wordpress