How to stop your site being hacked

Every day, several thousand websites are blacklisted, sent to Google’s very own version of solitary confinement due to them having been compromised by malware or malicious computer code.

By Abby Hardoon, Founder of Daily Internet

Web hacking is on the up, and with higher and higher quantities of sensitive and potentially valuable information being stored by online businesses, the damage that can result can be extremely painful for both the business and its customers.

Malware can be injected into any website which isn’t properly protected and perform a variety of unwanted actions, ranging from enabling botnets to control a business’s computers, enabling information to be stolen through a Trojan kit, infecting customers with malware through the company website, or enabling web application flaws to be exploited in order to steal products.

Whatever the infection, the results are commonly a termination in your ability to trade in the short term and potentially a significant cost and reputational impact in the long-term.

How do sites get hacked?

There are unfortunately a number of ways that a committed hacker can find their way into a website. Common ways include:

•    Weak passwords

In a vain effort to remember our increasing number of daily-required passwords, we as a nation of computer dwellers tend, unfortunately, to dumb them down, or ‘keep them simple’. Whether it be PASSWORD, REX, or the nation’s favourite, 123456, this is commonly an oversight and presents an easy way in.

•    Vulnerabilities in Web-Applications

A large number of websites now implement interactive functionality in order to create a rich experience for users. These can be in the form of user blogs and forums, sign up for newsletters, online form submission etc. Unfortunately, while being necessarily engaging for users, these can present portals for hackers to inject malicious code onto the site.

•    Insecure FTP connections

A host of infections are injected into websites after the password and username used to connect to a site using FTP is sniffed by a silent trojan/rootkit that has been embedded on a computer of a website administrator. Once passwords and username are obtained, access the website and subsequent infection with web-malware are relatively simple.

•    Third party software

Another trend in website development is the use of third party add-ons into websites in order to provide more interesting features to a user. These add-ons may provide geolocation, or image resizing but they also can, on occasion, harbour malicious code which will then be passed up through the chain.

Making sure your door is locked

In an effort to stay secure in the long term, it’s essential to adopt a level of consistent vigilance over any common areas of weakness.

•    With more advanced password cracking software being used by hackers, there is greater need than ever for whoever’s coming up with the passwords to get a little more imaginative. A seemingly random selection of number & letters is by far the most secure option.

•    For businesses using FTP, consider moving to a more secure solution like ssh/SCP/SFTP

•    Only install reputable third party plugins and update them regularly and individually

•    Make sure you regularly scan your business PC (s) with more than one Antivirus package

•    Use SSL to send emails

•    Choose your webhost carefully and make sure they’re providing round-the-clock active server monitoring, or even suPHP (see above)

•    If you’re on a shared hosting package, consider changing to a VPS (Virtual Private Server) which offers a different level of security.

By ensuring your systems are secure, based on taking best practice advice such as that offered above, and implementing a brief but regular schedule of checks, antivirus scans and updates, chances are that for any hacker, the time and effort required to search out any way of infiltrating your system will ensure they move along in search of an easier target.

Daily.co.uk