Me, myself and I and there's people in the WORLD who want to harm what's taken me years to build....and a few seconds to destroy.

Backups are the solution to this. With a good, working backup strategy, I wouldn't expect a hacker to be able to take you down for long (particularly if your scripts are secure).

<added> Make sure your host has a reputation for security. If the server you're on gets cracked, your site will go down with it even if your site itself is "secure." </added>

[edited by: MatthewHSE at 7:05 pm (utc) on May 24, 2007]

well backups as already noted by MatthewHSE is critical.

beyond that if you are on a shared hosting set up then you have to rely on your hosts for server security but there are some things you can do.

validate and/or clean any user data that is collected before inserting into a database - eg. any form field, any cookie data and POST or header that can be faked as well.

<added> Make sure your host has a reputation for security. If the server you're on gets cracked, your site will go down with it even if your site itself is "secure." </added>

If you go with a company of substantial size, they probably have at least one person who's primary job is to keep things secure. If it's something you are especially concerned about, you should ask your hosting company specifically about it.

With a smaller "mom and pop shop" security may not be given as much attention because they don't have the financial resources to dedicate someone qualified fulltime to do it.

I use <a web host> who ranks as one of the best host providers out there. Therefore, I am confident on their end of security. Thanks for the reminder of the file backups. As this is very important.

Matt

< Host specifics removed.
See Forum Charter [webmasterworld.com] >

[edited by: tedster at 3:28 am (utc) on June 5, 2007]

what kind of site do you have?

if it's just a static one, with no databases or anything like that in it, then all you've got to worry about is having a strong password (15 random characters with a good mixture of letters and numbers is my favourite) and back-ups.
the rest is up to your host.

if it's got databases and php and all of those sorts of things in it then i would concentrate on writing robust scripts. if your scripts are secure, and you've got good passwords and backups too, then you shouldn't have anything to worry about anyway.
make sure all of your vital scripts are outside of the root though.

I do have a site with lots of databases and php. Everything I have learned about security I have taught myself. What do you mean to have all vitals out of the root? Would you put them into a directory that is password protected?

What other php security tracks can I do to make the site more secure? The reason I am in a panic as I have now been hacked twice.

The reason I am in a panic as I have now been hacked twice.

Do you know how they got in?

this message has some very good links about php security
[webmasterworld.com...]

if you've been hacked twice, have you identified the points of entry? Is there a particular script that has been exploited?

What exactly was done to the site?

What scripts/software do you use on your site? (blog, forum, mailer etc)

whenever using scripts/software other people wrote you should be sure and then darn sure that there are no blatant issues.

<added>abive the site root means the file couldn't be called in a browser

if you site root is

/user/somename/public_html

and your main index file is in the public_html directory, then files that store user/pass combos should be in the somename directory which happens to be located above the site root.

To be honest I am not sure how to check how they got in. I noticed pages were updated that I didnt't update when I was ftp'ing revisions. I changed all passwords and also my ip for the control panel. They also added an index file to a partcular folder that I think had a spyware coding attached to it.

I use forms to database and vendor listings. I also just started a star rating system I got from someone else.

did you speak to your host at all when you had the problems? Did they have any added information?

Check your server logs for odd search strings such as what you might find in a dynamic URL, if you're using 3rd party software hackers will use a search engine to find pages with known security problems.

I am seriously thinking about trying hacker safe. However, being $2000, I have to think really hard. Does anyone have any opinions about hacker safe (scanalert)?

DO NOT WASTE YOUR MONEY, all they do is a a bare bones scan nothing else it if hardly worth the money as they do nothing from getting you hacked nothing......

This is all set up from security at the host level there are ways you can check to make sure your server is locked down one VERY VERY important way is checking your DNS as most that are hacked have DNS issues.

Here is the best check you can do and it is free
[dnsreport.com...]

[google.com...]

Use the above search to check the server etc. If you pass all these test you should be fine.

99.99% of the time we are the reason for security breaches from careless easy passwords using software or programs that have holes in them.

Be smart change up your passwords from time to time keep them all the same to stop confussion and easy change when you feel a need to and you should be fine..

"hacker safe" will give you a little image to post on your website, that's about it. It has nothing to with the security of your website.

To my understanding, Hacker Safe just does a port scan of your host. However, virtually all hacks these days seem to be done through insecure scripts. If you've been hacked twice and don't know how they got in, I would start by checking server logs from the time of the hacks. That should shed some light on how they gained access, provided they exploited a script.

if it's just a static one, with no databases or anything like that in it, then all you've got to worry about is having a strong password (15 random characters with a good mixture of letters and numbers is my favourite) and back-ups.

No amount of password complexity is going to help if you are using FTP to access your site, and you ever access it from an insecure location (WiFi node that isn't your own, Internet cafe, hotel, a friend's computer, etc.) or if there's an insecure location on the path to your site. (For example, a corrupt employee at your ISP, backbone carrier, your host).

Please, use SFTP and turn OFF FTP. FTP passwords are sent in the clear, and anybody who can tap into the data stream can see your password when it is sent.

Same goes for POP and IMAP. Use the secure, SSH versions. If not available, find a provider who can supply a secure connection.

Shared hosting by nature is insecure as many users have access to the machine. You'd be better off putting your resources into a dedicated solution. Hacker Safe is pretty much spending 2 Grand on a little icon that says "Hacker Safe".