Who Is Hosting This

Web servers are a prime target for hackers, not to mention the risk of accidents and natural catastrophes.

Even if you think your website is too obscure to attract attention, remember that viruses and bots scan IP ranges for vulnerable computers to infect. Even home PCs are under attack from the second they connect to the web.

The good news? If you have a managed hosting solution, much of the dirty security work is handled for you. There’s no need to patch your operating system, make sure your mail servers are not open relays or harden your server. Your managed host should do that for you.

However, your host can only do so much, so there is still plenty of work for a responsible webmaster. Here are five common web security blunders – and how you can avoid them.

1. File Permissions

If you install scripts on your server, you probably have to set permissions on at least some of your folders. Whether it is to allow the contents of a folder to be writable (IE: To make themes editable in WordPress) or ensure that the server will allow a file to be executed, adjusting permissions is a fact of life.

This is usually done using the CHMOD command in an FTP program. However, sometimes getting the permissions right can be tricky and, in a moment of frustration, some simply set all of their folders and files, or at least a large number of them, to the most permissive setting, 777.

Doing this is very dangerous. Not only does it make it easier for a script or application to do inadvertent damage to your server, but if an attacker is able to gain access, they may be able to upload and run their own code on your server.

How to Fix It

Read the instructions for your scripts carefully and give files and folders only the permissions they need. Most servers have good default permissions so they should only be changed if absolutely necessary.

2. Wildcard Indexing

Most Web sites have a folder where they keep their images, audio or other non-Web page files. But what happens when you visit the root of the directory (IE: yourdomain.com/pics/)?

If you get a server error (either 403 or 404) you are in good shape. If you see a list of the files in that directory, there may be a problem. This is called indexing and it is based on how your Web host sets up the server to handle directory requests when there is no index file available.

This opens up several different issues including file leeching, downloading files rapidly without visiting the Web page, hotlinking and even exposing more of your directory tree.

How to Fix It

Fortunately, most directories have an index file in them. You probably only have one or two directories you created to store non-Web documents. For those folders you can turn off indexing by either editing your .htaccess file, adding a file named “index.html” or, if use CPanel, you can go under “Index Manager” to disable indexing for that folder.

3. Out of Date Software

Though your host has the responsibility to keep your OS, server software and other apps they control up to date and secure (so long as you are on a managed solutions), you are still responsible for the applications you install.

Out of date applications, from blog platforms to bulletin boards are open to a variety of attacks, from database injection attacks, password hacks and more. If your copy of WordPress is telling you to upgrade, it is a very good idea to do so.

How to Fix It

Fixing this mistake is pretty simple: Update your apps. If an application you use doesn’t notify you of updates internally, subscribe to their mailing list or RSS feed to get updates. It is imperative that you stay on top of updates and, as quickly as possible, patch any holes that are found.

4. Back Ups MIA

I’ve talked about the importance of backing up before but it bears repeating, any number of disasters can strike your server at any time, wiping out your data. If you want to recover quickly, it is important to have good backups.

Whether it is a malicious hacker breaking into your server, a natural disaster or just a simple hard drive failure, having your own backups is important and relying upon your host for this service is an invitation for disaster.

How to Fix It

The good news is that, if you run a database-driven site (eg, WordPress blog), much of your site can be backed up via a simple database dump. If you’re a cPanel user, you can do that easily with PHPMyAdmin. There are also WordPress plugins that can automate the process.

For other sites, backing up is as simple and easy as logging in via FTP and downloading everything to a folder on your hard drive.

5. Bad Passwords

When it comes to security, your password is your first and most important line of defense. If someone can guess your password or otherwise gets a hold of it, no amount of security software can protect you.

Hackers routinely use dictionary attacks to guess the passwords of various sites. However, simply having a password not in a dictionary is not enough as these lists often add in names, dates, as well as mixtures of words with numbers.

If you have a common password, you can almost assure that your site will be broken into and there is no firewall that can prevent that.

How to Fix It

Pick a good password. It is that simple. Ideally a password should be over 8 characters long, contain a mixture of letters, caps, numbers and symbols. Your password should be easily remembered by you, but not easily guessed by anyone else.

If you need any help making a good password, visit Gibson Research Company’s Password Generator and copy a section of characters from one of their randomly-generated text strings. These are, quite literally, as random and as hard-to-guess as passwords can get.

Bottom Line

Basic security is straightforward. While there is no such thing as a completely secure server, the basic steps required to avoid becoming an easy target are simple things that any webmaster can do.