Now I know sx isnt a PTR but I have a weird story for you and the bad thing is its true.

I belong to a couple of PTR sites and they have sponsor links down the side. I decided to have a partner sponsor link on one of the PTRs the next thing I know I get an email from the webmistress telling me her site had had all the banner links pinched and it was possible joybunnys had a trojan which had caused it.

I wrote back to the owner and explained unless someone had hacked joybunnys there was no way it had a trojan. Nothing happened for a couple of days then I recieved another email telling me it was someone hacking into her site and taking all the links including joybunnys it wasnt joybunnys causing the issue after all. Which i had said already. Im not blaming the wm because at the time it happened she had only just added my link to her site but it sure is a cautionary tale about where to put your links and keeping sites safe and secure. It could have been a lot worse because the trojan could have taken personal details not just the links.

I had someone modify the index file in my main directory. Fixed the error, but the deed was repeated.
I found a way to make the index file immune to this kind of modification, but waking up one day to find that your website is redirected to a VERY BAD site is not very much fun. You can be 100% innocent but you can still get the blame.
I have now gone through a process to hide most of my website files, making it very much harder to get at them.

I must admit I have never been hacked well not yet but I have belonged to several sites that have and the hacking has ranged from simple images on the page saying you have been hacked by .... to some really nasty infections.

Writing your code in perl or php might help because it's harder to get at, but it doesn't really guarantee anything. You simply can't lock up a website completely. If you did, no one would be able to see your sites! :)

I did have my site hacked once, but that was because being shared hosting, someone hacked through from the server root.

Ironically I had to tell the reseller the server had been compromised!!

I accept I can not guarantee the server security, but I do agree that taking precautions where we can is sensible.

DeHawkinz

Hi inge,

how do you do?

Thanks
Noemi

Prudent protection always helps.

Hi inge,
how do you do?
Thanks
Noemi

You mean what do I do?
Well it's a long story, too long to explain here, but here are some simple advice:
You can do a lot with your .htaccess files.
Move include files out of the public_html area.
Encrypt your output (I haven't done that yet but I will).
Watch out for files processing returned data, like mail forms. Check the returned data thoroughly, that it has not been tampered with.
Do NOT depend on cookie contents!!!! The best is to not use cookies at all.
Always have a current backup of all files on the server. I have an identical area on my home computer that I use for development, so my "backup" is always up-to-date.

I could add: Do NOT use a Windows based server. You're almost guaranteed to run into trouble. Windows is just too vulnerable in almost every thinkable way.

I hate to see sites getting hacked into, but it happens all the time. The problem is that most, of the hackers are from China or from that area of the world. And they have ways of hiding there foot prints. I had a PTR site years ago that was hacked into at the least once a week and even changing the password didnt work. We finally had a friend that put a security system on the site and every time it tracked attempts back to China.

I however have lost 4 sites in 2 years to hackers. They took them over and recieved money from upgrades ect. And I had no access what so ever to the sites. Sort of makes you wonder whom you can trust any more.

Hilda

Well basically you can trust no one. I have just finished reading a book about website security, and the ease of hacking is simply amazing. If you have done little to ensure security, you must expect to have your site hacked. It's just a matter of time. Having a good, up-to-date backup is a must, and a good report with the host is no disadvantage! :)
If course, like DeHawkinz mentioned, using a dedicated server should help, but there's a high cost.

The biggest threat these days is the application layer. IE: scripts you have installed. If you don't keep them up to date, and they aren't well thought out scripts, you can pretty much expect to get broken into. (one reason I used vBulletin rather than phpBB for this forum, the vulnerability rate is much lower).

Server side issues you won't be in control of unless you have a dedicated server.

Very informative guys. A pennies worth. WiFi security is even a bigger problem. Most Wifi networks can easily be hacked from a laptop in a car OUTSIDE your premises. The number of unguarded WiFi points at home is shocking. This is a scary can of worms in its own right.

Some common ways servers are compromised (For *NIX based boxes - Windows/NT has a list that would go for days - just don't use it):

File/Folder permissions - CHMOD of 0777/0666 is deadly and asking for trouble. 0644 is most secure.
Server TMP directory is not on its own partition with -noexec. The most common way for people to get into your site (change index files etc...) is through an insecure tmp directory. The next most common is using a packet sniffer to detect when you FTP or administer your site.
MySQL injections
Poorly written server-side scripts
Brute forcing through password protected areas.

Also use a firewall on your local system as sniffers can catch you when you're administering your site. Try to use SFTP (Secure FTP) and https. Never use telnet, always use SSH - i.e. Putty

Your server should also use a firewall with all ports blocked except the ones needed for the site to run.

Ensure you have brute force protection on all login areas.

WiFi is ok if you have it set-up right. Use a MAC address allow list and WEP or WPA - WPA is more secure and much harder to break into.

I don't use ssh because my host doesn't allow it. They gave me temporary access for a while but I asked them to remove it again.
Instead, if I need to do system commands I upload a script that does them, and delete the script afterwards. A bit clumsy, but I need it so seldom that I think the method is OK.

I use WiFi but have never made WPA work.