Over the years, Intermedia has seen many types of attacks against our web hosting business. Sometimes they are as simple as the guessing of usernames and passwords to gain access; sometimes it is much more sophisticated.

We have been able to collect valuable information on what the most common tactics and attack vectors have been. We’d like to share a few tips on how to better increase the security of your website and avoid some common pitfalls.

It all comes down to the way you set up your web site, the quality of your coding and how you interact with your installation. One thing we want to stress: never jeopardize the security of your web site over convenience.

 

Always use strong credentials, change them regularly

The longer and more complex your password is, the longer it takes to guess or crack it. We’d recommend at least 14 characters. Change all your passwords on a regular basis, e.g. every 90 days.

Avoid well-known usernames

You should avoid using usernames such as admin or root, since these are extremely common and used during guessing attempts by hackers.

Keep your CMS and plug-ins Updated

Make sure that you update your installation regularly. This is especially important when you use a CMS (Content Management Systems like WordPress, Joomla, or Drupal). In addition, the plug-ins and themes available for those CMS installations also need to be updated from time to time. Old and vulnerable CMS and plug-ins are an easy way for a hacker to compromise your website.

Watch out for vulnerable plug-ins

Never install plug-ins or themes from unreliable sources. With a quick visit to your favorite search engine, you can research if a desired or already installed plug-in or theme is known to be vulnerable or not actively maintained anymore. If this is the case, there is a high likelihood that there is exploit code already available on the Internet. If you find vulnerable plug-ins or themes in your installation, you should remove them. This is an easy way for a hacker to compromise your website.

Do not store credentials in your applications

This might be inconvenient for you, but you wouldn’t believe how much malicious code is available to take advantage of these stored credentials. There are Trojan horses available, which have the capability to extract your credentials from your application. For example, they can take credentials from the FTP client you use to transfer files from your workstation to your web server, and then send them to someone else without your knowledge.  We’d recommend using a password manager to store and retrieve your passwords.

Have input validation programmed into your code

Whenever a visitor on your web site is asked to enter something into a HTML field (like name, address or email) you want to make sure that these input fields only allow certain characters to be entered. You shouldn’t allow any unnecessary characters like double quotes (“), colon (:), semi-colon (;), plus sign (+), curly brackets ({}) or similar. A single quote (‘) might be okay for the name field, but not for the field where you enter a phone number. For the characters that you can’t exclude from certain fields, you should escape or encode those on the web server before processing. If you allow special characters to be used in any field, those characters can be misused in so-called SQL injection attempts, to manipulate or read information from your database.

Disable autocomplete in your HTML forms and input fields

Autocomplete is a HTML attribute, which is supposed to make a user’s web experience more convenient. Unfortunately this feature might make your web site vulnerable to XSS (Cross-site scripting) attacks. We recommend disabling that feature in your code.

Change the default settings

If you use special components to build your web site, like a CMS or plug-in, you should change the default settings for those installations whenever possible. Even if you change these default settings a tiny bit, it can really make a difference – especially if you change the installation directory and the admin username. Keep in mind; cyber criminals who want break into your web site know what the default settings are, too. Don’t become an easy target for them.

House keeping

Clean up after you are done with the installation of any additional components. Installation routines tend to leave valuable information behind, which could also be valuable for a bad guy. If the installation files and folders are not needed anymore, remove them.

Set your file and folder permissions correctly

Incorrect settings on files and folders in a web environment are an invitation to cyber criminals. The wrong permission on a file could allow unwanted changes to the configuration or could reveal too much information to someone who isn’t the intended audience. If folder permissions are too generous (like execute permissions on an upload folder), it might allow the upload of malicious files or backdoors to your web site. Once these are put into place, attackers can have full file access to your web content whenever they like.

Disallow uploading files with certain extensions

Content management systems and photo gallery applications are known to have a certain folder structure, allowing broad access. They also have wide-open write permissions to make it easy for users to submit and upload files. Quite often the security implementation of these solutions is extremely weak. If you allow any type of file to be uploaded and the filename contains a semi-colon (like bad_content.php;.jpg or notgood.aspx;.gif), you are providing attackers with one of the most common ways to gain unauthorized access to your web site.

Review your log files

Web and FTP access logs, as well as the error logs of your web server, contain a lot of information. This is the first place to look for suspicious behavior on your web site. With a little programming, you can extract exactly what you are looking for. You should check for large amounts of failed login attempts or consecutive HTTP POST requests made to your web site in a short period of time. If you are a CMS user, look for failed attempts to access the admin portal. These are usually very good indicators of hacking attempts.

Restrict access to your CMS admin portal

If your web site is running on a CMS installation, and assuming that you have a static IP address (ask your internet service provider if you can have one), you want to look at restricting access to the admin portal to just the IP addresses that are authorized to do so.

Use security-focused CMS plug-ins

There are plenty of good security-related plug-ins for CMS installations. Most of them are free or can be purchased for a minimal cost. You can find them in the repository or download area on the homepage of the CMS of your choice.

Have it tested

Professional penetration testing firms can offer a great deal of value when it comes to the security of your site. They know the latest tools and techniques that hackers are using to compromise web applications and can offer excellent feedback and perspective on the security of your application. Protip: Have them review the actual source code of your application first (called a Greybox test) for the best results, and use a combined approach of automated scanning tools in addition to manual efforts.

 

We recommend visiting the Open Web Application Security Project (OWASP) website (https://www.owasp.org) to learn more about the OWASP Top Ten. The OWASP Top Ten is a powerful awareness document for web application security and represents a broad consensus about the most critical web application security flaws. Project members include a variety of security experts from around the world who have shared their expertise to help produce this list.

We urge all companies to adopt this awareness document and start the process of ensuring that their web applications do not contain these flaws.  

Following these recommendations doesn’t mean that your web site will never be attacked. The ease and availability of information through the Internet makes it easy for hackers to find new tools and makes it difficult for you to defend your website. But, if you keep these tips in mind, you can significantly reduce the possibility of an attack.