Obviously, keeping your site secure is one of your primary goals as an administrator. As discussed in an earlier post, filtering IP addresses is one piece of the puzzle.
But what other aspects are there to keeping your site secure? What follows is a brief list of ideas, which will be expanded upon in future posts. The security of your server simply cannot be ignored. Too often, administrators or webmasters throw caution to the wind, and leave things to chance. It’s really quite simple, although potentially time-consuming, to secure one’s server.
As a website security consultant, and as a PHP programmer, I see all too often the consequences of people failing to secure their site, which includes allowing questionable and downright unsafe code onto their site. Don’t let it happen to you.
- Make sure to harden your server. If you’re not familiar with this concept, this will be discussed in-depth in an upcoming post. It’s not as complex as it may sound, though it can potentially consume a lot of time. Essentially, you’ll be securing all aspects of your server, from the SSH connection down to the e-mail connections.
- Use strong passwords. Don’t be afraid to use special characters, a mixture of uppercase and lowercase letters, and numbers. This makes it more difficult for brute force attacks and for “script kiddies” (usually teenage hackers who intrude into systems for sheer joy of it, but also cause aggravation and potential damage) to guess and use your password. In other words, don’t use words you’d find in the dictionary, like “pencil,” and don’t use words people could easily associate with you, such as your occupation or favourite colour.
- Limit access to your administrative sections to those who truly need it. All too often, damage to a server or its data is done by a disgruntled moderator, or someone who was given administrative powers. Truly, limit such access to those who need it, and only for the frame of time that they need it.
Earlier, I mentioned bad code. Essentially, it’s very easy for a malicious author or hacker to put code in their script that allows them to do all sorts of things, ranging from SQL injection attacks (which directly attack your database and render it useless) to using your site as a phishing venue. Then again, code could also be uploaded by a user with less than pure intent, if you offer forums, for example. That’s why it’s important to have safe mode enabled, and to limit the extensions that you’ll accept for upload. These steps will minimize your exposure.
To give you an idea of how bad it could get, malicious code could be found in a script’s image link, if the image is checked by the getimagesize() command. Another script could be ran in a browser under the guise of being an image link, and by the time it’s discovered, it may be too late– the malicious code has already been run. That’s why it’s important to trust your source.
Because there are very few websites that use absolutely no PHP code, it is imperative that you ensure you are not using bad code. How can you avoid running those sorts of scripts? Quite simply, the answer is to be very careful of the applications that you put onto your site, and certainly be careful of the PHP scripts that you use. Be cautious when downloading from questionable sites that offer scripts free of charge.
Of course, developer sites such as that belonging to WordPress are perfectly okay, but you want to be cautious of sites that offer scripts written by a multitude of people who don’t identify themselves, especially those that require you to fill out a form with your website’s URL as a condition of downloading it.
When someone with bad intentions insists that you lead them to your site as a condition of using their script, that information will allow them to know precisely where their script is being used, and if they have malicious intent, they’ll know where to go, and what to do.
Although many of those scripts may be written by people with good intentions, the problem is that if you don’t understand the code, and put it onto your website, you’ve potentially made your site a proverbial sitting duck. Be very careful when searching for and downloading scripts, especially if you’re not familiar with the site from which you’re downloading those scripts.
This advice can also be applied to “plug-ins” for blog/CMS applications such as WordPress. Downloading plug-ins from the WordPress site is the best way to go, although there are of course plenty of developers who write valid and downright excellent plug-ins (scripts, really) and who offer support on their own websites, making it very clear who they are. These sorts of sources are far more advisable than a questionable site that conceals authors’ identities.
Again, there are plenty of people out there who offer free scripts out of the goodness of their hearts, and they have good intentions. Unfortunately, because some hackers like to cause problems, it’s truly a matter of “buyer beware.”