As this article is mainly written for small e-business owners, I will omit technical details about web hacking techniques, and will focus instead on the general security mistakes that lead to vulnerabilities, which are then exploited by hackers.
One of the oldest and simplest problems is default or weak passwords used to access admin interfaces of web applications. Another related and very widespread problem is default admin panel location, such as “/wp-admin/” or “/administrator/” which facilitate a lot hacking of your website even with one simple XSS vulnerability. Password reuse is also a very common and dangerous practice. Avoid default admin panel location, and select strong and unique passwords so that these risks are avoided.
Another very common problem is old and outdated software. Make sure that if you are using an open source CMS such as Joomla, WordPress or osCommerce it’s up to date as well as all of its modules and plugins. Today, the biggest danger comes from numerous plugins that usually have plenty of vulnerabilities.
Be careful when you are using a third-party customized code on your website that is not trusted by a large community of other users. I have seen many examples of quite secure websites being compromised because they installed “Simple Online Poll v0.1” coded by a friend or unexperienced trainee. Usually the majority of web vulnerabilities are hidden in the in-house code, as it was not reviewed and tested by millions of users and security researchers as, for example, the core source code of Joomla was.
Another important point to mention is proper access control. Don’t share your passwords and other credentials with people who do not necessary need to have them, otherwise once they are compromised your website will follow. It is always better to limit access to your admin panels from specific IP addresses or at least from sub-networks (in case you don’t have a fixed IP). Make sure that, on your web server, file permissions are correct and other users (if any) cannot read your files.
Needless to say, the security of any web hosting service where your website is located is also important. Don’t try to save money on it, as such “economy” may ruin your business. When selecting your hosting company, pay attention to what the company’s reputation is, the client support it offers (it should have a competent security team ready to react rapidly on security incidents) and if it has a daily backup plan.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.