When you run a website or a blog, it is partly your responsibility to keep it safe. There are many ways that a web site can be attacked. Some attacks focus on infrastructure such as network and servers, and some focus on the web application itself. When it comes to attacks on infrastructure it’s service providers job to keep the attackers at bay. Most providers do a good job at it, because otherwise they stand to lose lot of business and money in damages. One attack on infrastructure can take an entire service provider out of business if they don’t handle it well, because of loosing customer confidence.
Therefore most often when a blog/website is hacked or lost due to some other reason it is mainly the fault of person administrating it. There are several ways an attacker can get in to a site. For example they can hack in to the server or network and make their way to the sites hosted there. It once happen to the hosting provider of this blog. And thank god I still have my content. As I said that is something that service provider has to deal with. Here is a number of attacks modes that the web site admin has to deal with, and way to reduce the risks.
Getting in Through Security Vulnerabilities in Web Applications
This will not apply if your setup is managed by the service provider. Like in wordpress.com hosted blogs.
A website is just another software. Like in any software it can have security vulnerabilities. If it is a custom-built site then it is the developers job to make sure that all doors are properly closed and locked and only opened by authorized personals. Developing secure applications is a very large subject on its own, therefore I am not going to cover it here. But it is a different matter when it comes to using off-the-self software such as WordPress 🙂
Even software like WordPress can have security issues. But the good news is developers of these software deliver patches when they realize that they have security problems. Therefore it is the responsibility of the administrator of the site to keep its site up-to-date with latest patches. A security hole is not a problem as long as no one knows it. But once some one finds it, they can exploit it to get in. And the thing is, once an organisation that develop software find a vulnerability of its product and release a patch, that vulnerability is no longer a secret. And if you do not install the patch you are running your system with a known security issue. Therefore I cannot stress enough how important it is to stay up-to-date.
There is another thing called a zero day attack. This happen because normally it take a company few days before it can release a patch once a vulnerability found. And someone can use this window to attack. There is nothing you can do to stop such attacks other than trying to close any doors between the attacker and the vulnerability. To do this you have to stay up-to-date with all the security related news of the products that you are using. and take proper measures. For example if you get to know that a specific plugin has a security problem, then you can disable/uninstall that plugin until the plugin creator come up with a patch. Also when you install plugins and make configuration changes do some research to check if the plugin is safe and secure. and find out what is the most secure way to configure them.
Make sure your site does not let users know the version of software that it is running or any other technical details in its pages or error pages. Because knowing which software and which version you use is the first step of attacking you. With that knowledge the attacker can look for known problems of those versions.
Getting in Through Security Vulnerabilities in other Websites in Same Server or Vulnerabilities in Server
This will also not apply if your setup is managed by the service provider itself. Like in wordpress.com hosted blogs. This applies specially if you are hosting a site on a shared server.
Even though you keep your website vulnerability free, there can be other sites in same shared server that has vulnerabilities. They can ruin it for everyone on that server. Or server itself can be vulnerable. Ideally hosting provider has to take care of this problem. But there are few things you can do to protect yourself. If a server is broken in to through another account, attacker is most likely be accessing the server through a user account other than your account. If you keep your sensitive server files with proper security setting to make it non readable and no writable by others, then you are relatively safe. This includes all your configuration files, executable scripts, static pages and media. You may need some files to be be readable/writable by other users (some WP plugins require this). You have to make sure those files are not executable and does not contain sensitive data. Personally I would prefer not to use such plugins :).
Cracking Your Password
This is a classic attack method. And the most common is using brute force. That is by trying out all possibilities of letters on your login form. There is a version of brute force called dictionary attack which is very common due to less time it take. It basically take words from a dictionary and feed them to login form as passwords. This is a very successful way of cutting down the time it tack to crack a password, provided that the password is a valid word. There are several ways to protect your site against this.
First and most important thing is to pick a strong password. It is a practice you must follow. You can include letters, both upper and lower case, symbols, numbers. you can also spell words incorrectly but should not be obvious misspelling of the words, use reversed words, use words from multiple languages, use phrases, but not something that you take from a book. Just be creative with your passwords and mix them up with numbers, symbols and upper , lower case characters. Also make sure not to use same password in all the places. And never include any personal information or information related to your site as password. That will make it easy to guess.
You can also block automated login by requiring users to enter a CAPTCHA when they login. That way only a human user will be able to use your login. You can also use a lock down mechanism. Which blocks an IP range from logging in, after a number of failed login attempts. However there is a risk of doing this. Imagine if your account locks out for one hour after 3 failed log in attempts. If some one wants to block you from logging in, all he got to do is to do three failed login attempts each hour.
Also to have any luck at cracking your password, attacker must know your user name. You can make the life hard for an attacker, if you hide your user name. Pick a user name that is not obvious. Don’t use your name, nickname, display name, website name, and definitely not ‘admin’. Also don’t use same user name / password in all the places related to your site. You will have number of places that you log in. Your e-mail, your hosting provider account, your website control panel, your SSH, FTP accounts, and your WordPress account …. Make sure they have different usernames and passwords.
Steeling Your Password
Your password may not be crackable, but it might get stolen. You might give it to a ‘trusted’ friend to help you out with something. You might be traced using a key logger. It can get detected by packet sniffing in the network. Or the attacker might just send you an e-mail and ask for it 🙂 trust me, that works.
For starters never give your password to any one. If you have to write it down (you will have to, if you do everything in previous section), even though it is not a good practice, keep it somewhere safe, very safe. It is best not to enter your password in shared computers, specially not in the public ones. Try not to let the browser remember your password. Make sure to log of from the sites before you leave the computer or close the browser. It will make sure that some one else is not accidentally logged in to your account.
Make sure that the computer you are using to log in to your site is clean and free of any viruses, trojans, adware. And it must have an up to date virus scanner installed. Antivirus should be able to detect all the previously said software. If you are using flash drives make sure they are virus free. And don’t use them in computers that you do not trust and not secure enough.
Use SSL as much as possible when you login. Never send your passwords in e-mails as e-mails transfer as plain text. Setup your site in a way that you don’t have to log in to your main admin account all the time. You can use a less privileged account for your day-to-day work. That way you can still have a very strong password for your admin account, and avoid the trouble of entering it all the time. Also that way you will lower the number of times that you transmit your admin password.
Don’t ever respond to a mail that ask for your account information. A responsible hosting provider will never do that. Every time you log in, check the address bar to make sure that you are logging in to the correct site.
If you have any reason to think that your password is at risk. For example if you had to use it in a public or untrusted computer or if you discover that your computer was infected with a trojan, then change your password(s).
Hacking in to Your E-mail Account
Hacking an e-mail account is will give access to all the passwords to all the accounts created using that e-mail. Therefore your e-mail address must have the strongest and safest password. It is also a good idea to not to use your primary e-mail account when you sign up to your hosting account/blog..! You can use a private email address which only you know. This way the attacker will have to figure out the e-mail address before he can attack. Do not use that e-mail address to communicate with others. That will give away the e-mail address.
Last but not least…. Take Backups
No matter what you do, you cannot be prepared for everything. If something beyond your control go wrong, you stand to lose everything you create. Therefore it is extremely important to take backups. And It is even more important to make sure that backups are in a restorable state. Ideally you have to take backups frequently and restore them in an offline site running in your own computer. Just to make sure that backups are in good shape and easily restorable. Restoring is often more complicated than backing up. Complexity depends on how the backup was taken and what was backed up. Often admins find this the hard way when a backup is need to be restored. How frequently should you backup will depend on how often you site change.
Also it is extremely important to make sure that backups are secure. For starters if you lose both backups and the live site, you are back at square one. Also backups will contain all the sensitive information of your site, such as configuration files with database password. You don’t any one to see those. do you? Therefore never leave your backups in the server.
This is all I can think of right now! Did I miss anything?
/Rakhitha
Tags: Backup, Blog Security, Password Security, Security, Web Site Security
One comment on “Few Tips to Protect Your Site/Blog from Attacks and Other Mishaps!”
You must log in to post a comment.
This post pretty much covered up all my questions, thx 🙂