Fight Back Those Nasty Hacks

Hacks are an unfortunate reality when you run your own website. The malicious nature of hackers can turn a successful website into a nightmare in a matter of seconds. While no website is immune against hacking, there are many things you can do protect yourself, your clients, and your revenue. Here’s a quick overview of some common practices that can help you keep your website safe and secure:

Keep It Updated

If you used a common platform to build your website – such as WordPress, Drupal or PrestaShop – you need to be sure your website is updated to the latest version at all times. Every time an update is released, there is a strong likelihood that one of the fixes in the update is to block a vulnerability that has been found in the software.

If you installed your software through Softaculous, you can update your site through cPanel by following these quick procedures:

1. Log into cPanel for the domain you want to update.

2. Click the Softaculous icon.

3. Click the “All Installations” icon on the top-right.

4. If there is an update for one of your installations, you’ll see two arrows next to the version number. Click the arrows next to the version.

5. Click the “Update” button to start the update process.

It is always recommended to perform of a backup of your website before you perform any upgrade.

If you didn’t use an auto-installer, many software packages have a self-update feature within their control panel, or some other method to easily update to the latest version. Follow these links for instructions on updating some of the more common software packages:

• WordPress
  http://codex.wordpress.org/Updating_WordPress
• Drupal
  http://drupal.org/upgrade
• Joomla
  http://docs.joomla.org/Upgrade_Instructions
• PrestaShop
  http://doc.prestashop.com/display/PS14/Updating+PrestaShop
• Magento
  http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/upgrading_magento
• phpBB
  https://www.phpbb.com/kb/article/how-to-update-to-the-latest-version-of-phpbb3/

Don’t Stick with the Defaults

Hackers will often try to log in with default information in order to gain access to your site. It’s good practice to change as many of the default options as possible:

Admin Panel Location:

Many software packages will let you move the default admin directory to a custom location. Instead of http://www.mysite.com/admin/ you could move your admin to http://www.mysite.com/super-secret-admin-panel/ instead, making it harder for hackers to find where to log into your site.

Default User Names:

If your software installs default accounts such as ‘admin’ or ‘master’ or ‘root’ – these are a bad idea. Set up an alternate account with the same amount of access, then delete or disable those accounts. They’re the first thing a hacker is going to try and log into.

Default Table Prefixes:

Many software packages will allow you to set a custom table prefix in your database. This is another way to make it harder for a hacker to attack your site using a SQL injection. If they don’t know the prefix, they can’t run SQL commands against your database.

Default Permissions:

Once your software is installed, it’s a good idea to go back and verify the ownership and permission of the files on your site. The highest permission level any file/folder should have is 755. Any file or directory set to 777 open up the potential for malicious code to be placed on your site.

If You Don’t Need It, Turn It Off

One of the most common ways a hacker gains access to a site is through an account, function or script that was forgotten about. You should regularly examine your site and take inventory of all the script and software that have been installed. If you run into something you don’t need or haven’t used in a long time, disable or remove it.

Similarly, it’s also a good idea to go through your software and look at which features are enabled. If you have software that has the capability for users to register – but you don’t need them to register on your site – turn off registration.

Secure Your Passwords

Every site has multiple passwords associated with it – for example, for one website you have your control panel password, your FTP password, your administrative password, your email password – you get the picture. While it’s easy to pick a password and use it for all of these different systems, it can be a major security risk. If your password is breached, the hacker now has access to all of those systems.

Use a Different Password for Each System/Login:

Yes, it’s a pain. There are many password managers out there that can help you keep track of them all. KeePass, for example, is a secure password storage system you can install on your computer.

Use Secure Passwords:

We can’t tell you how many times we’ve examined a hacked site, and found passwords like “password” and “changeme” – don’t be that person! Use secure passwords, with upper- and lower-case letters, a couple of numbers and a special character or two. Have your passwords be at least 8 characters long.

Change Your Passwords Frequently:

Have you been using the same password for 5 years? It’s probably time to change it – and all of your other passwords. Put a reminder on your calendar for every couple of months to go through and reset your passwords.

Back It Up, Back It Up, Back It Up

Our Web Hosting and Reseller Hosting customers have access to our Server Rewind feature. Check it to be sure all of your data is being backed up. If you use Postgre databases, for example, our backup system is unable to back these up due to how they store data. You will need to create your own backup routine and schedule to handle backing those databases up.

What Should You Do if You Think You’re Site Has Been Hacked?

We’ve put together a great Knowledgebase article that will give you some of the basics of determining when/how a hack was made so you can secure your site to prevent further damage.

Start here: https://www.a2hosting.com/kb/security/securing-a-hacked-site

Once you have determined how/when the hack came through, and you have blocked the problem – you should go back through this primer and be sure you have followed all of the recommendations.

You can restore all or portions of your site using Server Rewind to a date prior to your site being hacked. While this will reverse a hack, it will not prevent another hack from happening again on the same files. Be sure you have identified and blocked the hack so your site doesn’t become compromised again after your restore.