If you have ever had your website hacked then you are all too familiar with that sickening feeling in your stomach caused by a cocktail of mixed feelings including violated, vulnerable, helpless, confused, angry and disgusted. If you have had your website hacked then you are not alone. In fact, a website designed and built by WebDuck Designs was hacked 5 or 6 years ago so we know firsthand how infuriating it is to have your website hacked. After we were hacked, I vowed to do everything in my power to prevent future websites being hacked so we invested a lot of time into searching hackers so we could come up with ways to help foil their attempts. Because it’s WebDuck Design policy to educate whenever possible, we have put together this page in hopes that the information we have written here will help you prevent your website from being hacked. Because the topic of hacking is so large we have broken this page up into different topics involving the various aspects of website hacking.
In one word “Everyone” needs to worry about hackers. Hackers do not discriminate when it comes to whose website they hack. In fact, smaller websites tend to get hacked more than larger websites. The first step in preventing your website from being hacked is to understand a little bit about hackers. Although it’s bad to stereotype anybody, generally hackers fall into one of 3 categories: White Hat, Black Hat, and Mischievous.
Let’s start with White Hat hackers. A White Hat hacker is a good guy. He or she uses his or her hacking skills to help website owners by locating potential security threats and in some cases suggests how to eliminate the security threats he or she found. Some White Hat hackers operate on their own searching the web for random websites to hack while others are contractors paid to hack specific websites that need to be extra secure. Good White Hat hackers can make a very good income and in some cases can even land a high paying fulltime job. You might have seen or are familiar with movies where a hacker manages to hack a large company or a government website then the hacker gets a job with the people he or she hacked. Well don’t believe those movies. In 99% of those situations the hacker goes to jail or is charged with some kind of a crime and disciplined in one way or another. Unless you have permission to hack a website then doing so is illegal no matter what the intentions.
Now that we have looked at the good hacker, let’s take a look at the evil Black Hat hacker. Similar to the old comic strip “Spy vs. Spy” the Black Hat hacker is the bad guy. A Black Hat hacker likes to hack websites for his or her own personal reasons which 99.9% of the time the reasons will not benefit the owner of the website. So why do Black Hat hackers hack websites? To be honest the reasons vary from hacker to hacker. Some hackers hack a website just for the challenge while for others it’s more personal and for whatever reason he/she wants to access information, crash, or take over your website. No matter what the reasons are, hackers are out there and the chance of a hacker targeting your website is a lot higher than you think which is why it’s in your best interest to take as many precautions as possible to deter a hacker. I use the word deter as opposed to stop because the unfortunate reality is that if a hacker is good enough and determined enough eventually he or she WILL hack your website. For the hackers that are less experienced and less determined the following tips will help you prevent your website from being hacked.
The first step in preventing your website from being hacked is to start at the planning stages. If your website is going to have dynamic content like a forum, blog, content management system or even a shopping cart then you try NOT to use anything open source. Open source applications mean that the actual application is developed by a large number of people and the code that makes the application function is readily available to everyone including hackers for free. You may intend on using a pre-made blog like Wordpress or maybe a forum like PHPBB but be aware that there are hackers that have copies of those applications as well and have already reverse engineered it in order to find a weakness that he/she can exploit. One of the most common examples of a pre-made web application being hacked is with the before mentioned forum PHPBB. Remember I said that I had one of my sites hacked a while back? Well it just so happens that when I did get hacked it was a PHPBB forum that was running on one of my clients websites. Nothing more sickening than going to the website and seeing the database is gone and some “graffiti” on the homepage letting me know that I was hacked and there was nothing I could do about it.
Not all hackers that hack pre-made open source applications are looking to crash or take over a website. Some of the biggest spam companies have found ways to hack all the most popular forums and blogs so that they can place spam posts on your website and there is nothing you can do to stop them. Most forums and blogs have settings that require comments or posts to be approved or in some cases only a “moderator” is allowed to make posts. Spam hackers have found ways around these checks and balances and once they locate you there really is nothing you can do. You might try blocking their IP address but most likely that is a complete waste of time because they have an unlimited supply of ip addresses they can us every time you block one.
Online stores or ecommerce websites that use pre-made or open source shopping cart programs are at high risk of having their ecommerce website hacked. Most open source shopping cart solutions have “contributors” that create “modules” known as “contributions” that had new and different functionality to these websites. The concept sounds great but the reality is that someone not experienced with code may install a backdoor into their website thinking they are just adding on a contribution. It’s not uncommon to add on a contribution and within a couple of days have your website hacked. Remember open source shopping carts are free so it’s pretty easy for a hacker to reverse engineer one to find a weakness to exploit. Because of this I highly recommend NOT storing credit card information or any other personal information in your website’s database.
Pre-made and open source applications are not only easier to hack but they are also a homing beacon for hackers to find you. One of the biggest tools a hacker uses is Google. Because Google indexes websites by reading the code, a hacker can search for some keywords or keyword phrase that is located within an open source or pre-made application. Within seconds a hacker now has a “hit list” of potential targets. This might be the only instance where you DON’T want to be on page 1 of Google. Being farther down the list doesn’t make you much safer.
Now you know that pre-made and open source web applications can easier to hack and can be used to by a hacker to locate your website so the biggest piece of advice I can give you is to NOT use them. If you need a blog or a forum or even an ecommerce solution then try to locate a developer that has created a custom application that fits your needs. In most cases a custom application is easier to “fine tune” to your specific needs. Custom applications to tend to run a bit more so if your budget will not allow you to get a fully customized application made for you then do a little research on open source and pre-made applications before deciding on which one to use. If there are known bugs or problems then someone somewhere has posted them online.
Whether you have an online store or a simple informational website the following tips will help you prevent that precious website of yours from being hacked by a malicious hacker. These anti-hacking tips are general enough to apply to all websites no matter the size. The first line of defense against a potential hack attempt on your website is to make sure you have a reliable hosting company. I cannot stress how important this is. You would be amazed at how many United States based hosting companies actually outsource their server management overseas to countries like India. Aside from the obvious problem with customer services issues, having a hosting company that outsources its server management overseas is a huge security risk. I will use an example I am all too familiar with. A hosting company that I do not believe that exists anymore called MySiteSpace.com claimed to be located in Canada however their server management was located in India. At some point a deal was made between a spam company and one or more of MySiteSpace.com IT department and the spam company were given a back door into the server. The end result was a large number of the MySiteSpace.com customers ended up with “phish” sites impersonating popular online banking websites located under their domain name. MySiteSpace.com clients also ended up with malicious scripts being put on their web pages and in some case were unknowingly spreading viruses. Unfortunately for the clients the servers eventually crashed and the last I heard the accounts were sold off to another company. How do I know this? Because 8 years ago I actually used MySiteSpace.com to host some of my own websites and learned this lesson the hard way first hand.
Since we are on the topic of server let’s keep with the topic and discuss passwords. To be more specific let’s discuss server admin panel passwords as well ftp account passwords. A GOOD password contains at LEAST 6 characters that include a mixture of letters, numbers, and special characters like punctuation. Here is an example of a good password: “he746!leyghey! 5”. Here are a couple examples of bad passwords: “Oscar”, “7563983”, “encyclopedia” etc. The reason you ALWAYS want to include letters, characters, and special characters like punctuation is because not doing so leaves you vulnerable to brute force hack attempts. A brute force hack attempt is where a “bot” or another computer repeatedly tries to access your server or database by continuously submitting passwords. Most brute force hacks utilize a “dictionary” program which uses actual words as the password. Since this is by far the most common form of being hacked then I HIGHLY recommend NEVER having a password that is an actual word or name. If you do use a name or a real word then you are just begging to be hacked. Make your passwords as long as possible and don’t forget to use a combination of letters, numbers, and special characters.
Enough about server; let’s move on to securing an actual website. Are you familiar with permissions? Ok, I guess that we are still indirectly discussing servers but this is more about actual directories than the server itself. In case you don’t know, permissions are settings that allow / disallow certain people to read, write, or execute files on your server. For more information on server permission then do a Google search since this page is about security not server management. One of the way hackers find files to try and hack is that they look through a website’s directories. Looking through a directory is easy. All you do it go to a page on a website ( usually NOT the homepage ) then remove the page name from the address or simply start at the end of the website address and hit the backspace key until you get to the first “/” then hit the enter key. If the permissions are set to allow everyone to “read” the directory then you will see all the files located on the server. This is a bad thing if you have files like “defines.php” or “includes.asp” because files like that are magnets to hackers. Clearly they do some kind of processing. Now if the permissions are set to NOT allow visitors to read a directory then you will generally receive a permission error. Here is a link to the “pages” directory located on WebDuck Designs website. This directory does not allow visitors to read the directory so the error is generated by the server alerting you that you do not have permission to read the directory.
Before we conclude the general anti-hacking tips section let me give you a little advice when it comes to choosing a hosting solution. When in doubt go with one of the BIG companies like Go Daddy or Web.com. Although they are not “perfect” they are usually pretty good at providing a reliable hosting solution and good customer service. If you don’t’ want to use one of the big companies as a hosting solution then at the very least do a little research. Horror stories and complaints spread like a brushfire on the internet so if a company has problems 99% of the time you will find some reference to them by simply Google searching them.
If your website has been hacked and you are not using a pre-made open source application on your website then chances are you or your developer was not thinking about PHP and MySql security when the website was created. Most beginning PHP programmers are concentrating on “how” to actually develop an application and don’t really pay much attention to making sure it is secure. In fact 99% of the beginning programmers out there don’t know how to write secure PHP code. If you are not familiar with how to write PHP code then these tips might be a bit over your head. If you are a PHP programmer please understand that I have to be somewhat vague when I provide you with ideas on how to secure your PHP scripts because If I were to give examples I would be opening myself up to be hacked.
The first thing we will concentrate on is protecting you against a database injection. A database injection is where a hacker “injects” code into a database using your own processing scripts. There are two ways a hacker can do this. The first way is by using your own data submission forms like link exchange forms, payment gateway interfaces, and contact forms. A hacker would go to one of these pages or similar pages and just enter MySql code into the actual form fields. Suppose you had an unsecure contact page that kept contact information in a database for later use like email marketing or follow-up inquiries. A hacker would only have to enter a single line of code into your form field then submit the information as if he or she was trying to contact you. That script entered by the hacker would then potentially cause your database to crash or worse. In some cases if you are not careful a hacker can use this method to delete all your database records. Now you are probably wondering how to prevent this. Well preventing a MySql injection attack is pretty easy. PHP has a function “real_escape_string” which can be used to make sure all data you process into the database is a sting and cannot be interpreted by MySql as code. For more information on how to use the PHP function “real_escape_string” Click Here.
The second way a hacker can attack your database using your own processing scripts is by using their own website to constantly submit information to your processing scripts. In some cases the hacker might successfully manage to insert information to your scripts that will crash or delete your database. Even if the hacker can’t damage the database, the contact data submission could potentially crash the server. Most contact and data submission forms use JavaScript validation to validate the information before submitting it. JavaScript validation does a great job helping a visitor submit the right information in a properly formatted way however it is absolutely useless when it comes to validating information submitted by a hacker simply because any hacker with half a brain knows how to disable JavaScript in their browser. Disabling JavaScript means there is no longer any validation and the information is submitted for processing. Without some kind of a server side validation in place, your processing scripts are not processing potentially dangerous information. As I mentioned in the beginning of this paragraph a hacker doesn’t even need to use your website to submit the information. He or she can just create a similar data submission page on his or her server and have that page submit the information to your processing script. As long as the hacker has form fields by the same name he or she can successfully submit the information for processing by your scripts. How does the hacker know what the field names are? How does the hacker know where to submit the information? Two questions with the same answer. All a hacker has to do is view the source code for your data submission form and read it. Kind of a scary thought isn’t it? A hacker submitting information at will to your website to be processed without you knowing about it can be quite bad. In addition to having a PHP or some other kind of server side validation you should also do an IP address check before processing any information. If you know the IP address of your website then you can compare that with the referring website’s IP address to see if it was in fact submitted using your website or someone other website. If you don’t know your website’s IP address you can find it out at the following website: (http://www.selfseo.com/find_ip_address_of_a_website.php). Now to find out the IP address of the referring website you can use the PHP global variable “$_SERVER['SERVER_ADDR']” . Now compare the referring website’s IP address with your own website’s IP address and if they don’t match then the information is coming from someone else’s website.
The last tip I’m going to share with you is protecting your “defines” or”includes” pages. Most developers put the database connection information as well as other important information onto a “defines” or a “includes” page and call that page into every page that needs to access the database. This is a great way to program because if you ever have to change your password or other database information you can do so in a single place. Because this is the most common way to develop, hackers tend to look for these files and in some way or another access the information on these pages. A good way to protect against this is to add a little code to the top of the “defines” or “includes” file that looks for something specific. Then every one of your pages that needs to access the database will have this extra bit of something added to the top of the page. Now if a hacker tries to access your “defines” or “includes” page and doesn’t have the little something that you added then make the page stop processing and echo something like “Hack Attempt!” This will usually tell the hacker that you anticipated his move and most likely he or she will move on to easier prey. I wish I could give you an example of what I am talking about but in this particular case I had to be vague so that nobody is wise to exactly what we do to help prevent hacking. I can tell you that just like everything else in programming there is more than one way to accomplish the same goal so if you take a moment to think about it I’m sure you will come up with something.
As I said in the beginning of this page, a determined experienced hacker really cannot be stopped; however, if you take some precautions to help secure your website, server and processing scripts then you can greatly decrease your risk of being hacked. The biggest and most important tip I can give to help you prevent being hacked is to think like a hacker while you write your scripts or create your passwords.