This article is an overview of some basic preventitive measure that site owners can perform to protect their website from being hacked. We compiled this list based on our findings of the common attack surface inherent in content management systems and common web-applications.
1. Default Users
One of the most common problems with modern web-applications; specifically content management systems such as WordPress and Joomla is that they use default user conventions that site admins rarely change. On WordPress, the default administrative user is admin. On Joomla, the default administrative user is administrator. Armed with this knowledge, one of the very first things an attacker will try to do is gain administrative access to your CMS by brute-forcing these accounts.
How do I prevent attacks against default users?
First and foremost, don't keep default usernames. This will make it hard for an attacker to guess user names that they could try to brute-force dictionary attacks against.
Second, implement some sort of plugin that will lockout a visitor that has made several failed login attempts. By doing so, you will frustrate the attacker and waste their time. Eventually, they will get the hint.
2. Administrative URL's
Another common problem with content management systems is that they always use the same url structure by default for site administrators. For WordPress, this URL looks something like this: www.mysite.com/wp-admin. Custom web-apps often use a similar convention. Common URL's include: /admin, /administrator, /webadmin, /cms just to name a few
How can I prevent an attacker from finding my administrative URL?
Simple. change it. It will make it much harder for them to find it if they exhaust all of the common URL's. Also, make sure that you do not allow this URL to get indexed by search engines. You can do so by removing the Disallow /admin (varies depending on your config) from your robots.txt file, and make sure that this link is not present in your sitemap.
Having incorrect permissions is an end all in most cases. Many times this happens with the .htaccess file, where an attacker can edit the file and redirect your site to a malicious domain that he/she owns.
How do I protect my files and what are the correct permissions?
This is the easiest way to help protect your site.
Directory permissions - 755
File Permissions - 644
.htaccess - 444
Believe it or not, commenting can become a big problem. Comment forms are one of the most common attack surfaces for Cross-Site Scripting.
How do I prevent attacks against my comment form(s)?
This one can get tricky, but there are several things that you can do to help prevent your cross-site scripting from taking place on your comment forms. First, you should screen your comments before allowing them to be published. More often than not, you will find that your comments are spam where the author is looking to get a do-follow backlink. Second, you should always convert your comments to HTML encoding.
If you allow uploads on your site, you are definitely at risk. Arbitrary file uploads are like hitting the jackpot for an attacker. Whether they are uploading a backdoor, malware, or a bot script, this is a gem.
How do I prevent upload vulnerabilities on my site?
If it is really not necessary, I suggest that you don't allow uploads. If you have to, make sure that you are only allow specific file types. Is it necessary for a guest to upload .php or .exe files? Filter the files types. One of the most common issues that I have found with this has been third-party plugins that do not properly handle file uploads. Do not trust third-party plugins. Always check them for yourself and research them for known vulnerabilities prior to installing them.
Article Directory: http://www.articletrunk.com
Hacked website? Reclaim your hacked website by visiting: malfarmed.com
Please Rate this Article
Not yet Rated