The first steps to make your site more secured

Hi,

I recently had two of my sites hacked one of them was using WordPress and this happened about six months ago, so I was thinking that it was because I was using WP with a poor user name and password, two days ago the other one was also hacked and on this one I’m not using WP, I also had a poor Cpanel password (5 letter password). So after this I will start using strong passwords but I was wondering if this is really where the hacker got into my site.

I would like to understand more about web security because right now all I know is that a strong password needs to be used and that’s it.

1 - What are the different ways a hacker can get into my server?

2 - What are the steps on securing your server, or is this something the host company takes care off?

3 - What are the general steps setting up a new site for the first time to make sure it will be secured (I know nothing is 100% secured)?

4 - Where can I get more information on web security? Is there a good book that you guys recommend?

Thanks a lot!

With regard to open source scripts such as you mention there are three main ways someone can break in.

1. If you are running an old version with known security holes they can exploit one of those security holes.
2. If you use a weak password then they can possibly guess what it is to break in.
3. If you don't have proper security on your own computer they may be able to install a keylogger there so as to capture all your passwords.

First of all thank you for your help.

How about the server? I guess I don't know understand how the servers work, I'm assuming that I'm renting a partition on one of the computers from my hosting service provider, IF I'm correct, what if someone attacks a different partition in the same computer (different client using the same hosting services).

Could a hacker get to my partition through a different partition within the same server?

Sorry if my questions don't make too much sense.

Thanks

It is possible that another compromised site "crossed over" to yours. But I suspect this is unlikely as the host would probably catch this. Just the same, you should report the incident to your host.

It is more likely one of the reasons felgall mentioned. Bite the bullet - upgrade any old apps you're using, check your folder/file permission settings, and do a scan of your computer.

Strong usernames and passwords are a good idea, but they are only one step in having a secure site.

Thank you all for your comments!

Hi,

I just ordered a book called Apache Security, will this help me to learn about web security?

http://www.amazon.com/Apache-Securit...5773193&sr=8-1

Thanks a lot

I would recomend:
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
Here is review from Richard Bejtlich:
http://taosecurity.blogspot.com/2009...n-hackers.html
Here other reviews by him:
http://taosecurity.blogspot.com/search/label/reviews

Also - if you are into security in broader sense - a must read is "Security engineering" by Ross Anderson:
http://www.cl.cam.ac.uk/~rja14/book.html

P.S. Bejtlich has a review for the book you've bought as well:
http://taosecurity.blogspot.com/2006...ks-posted.html
One thing to consider is that the book is already 4 years old, so there might be some differences to situation now.

I read a good article in the .net magazine see here for details:-

http://www.netmag.co.uk/zine/latest-issue/issue-201

and I think I have found the same article here:-

http://www.techradar.com/news/intern...ecurity-687153

Thank you all very much this is good information.

I found this helpful! Very good info

http://25yearsofprogramming.com/blog/20070705.htm

Thanks

Quote:

---

Originally Posted by felgall

With regard to open source scripts such as you mention there are three main ways someone can break in.

1. If you are running an old version with known security holes they can exploit one of those security holes.
2. If you use a weak password then they can possibly guess what it is to break in.
3. If you don't have proper security on your own computer they may be able to install a keylogger there so as to capture all your passwords.

---

Great points! Just to add to this, making sure you are not using the default 'admin' username. Hackers are aware most people don't bother to change this.

Also are you using and FTP program? I love Filezilla, but somehow transferred a virus to my site using it one time. If you are using this software, try switching to something else like CoreFTPLite. It's a lot slower, but seems to be more secure.

Good luck!

Quote:

---

Also are you using and FTP program? I love Filezilla, but somehow transferred a virus to my site using it one time. If you are using this software, try switching to something else like CoreFTPLite. It's a lot slower, but seems to be more secure.

---

Thank you for your comments!

Wow thats bad new I love Filezilla. Is there any good ftp for Mac?

Try Cyberduck - http://cyberduck.ch/

Haven't used it myself but heard very good things about it from others.

Thanks a lot for your comments.

Are you using a shared hosting or vps? if you are with a managed vps, your hosting provider should take care of backups and security as well.

And the book you just bought should help you. But, its always better to learn security with a test system instead of production server.

First of all thank you for your comments.

Quote:

---

But, its always better to learn security with a test system instead of production server.

---

Can you please recommend me a better book or direct me to where I can find more info?

Thanks