5 Common Server Security Mistakes
Web servers are a prime target for hackers, and running a site requires a certain amount of vigilance.
If you have a managed hosting solution, much of the security work is handled for you.
But there are still some security blunders to avoid.
1. File Permissions
If you install scripts on your server, you probably have to set permissions on some folders.
This is usually done using the CHMOD command in an FTP program.
Sometimes, getting the settings right can be tricky. In a fit of frustration, we’ve all set our folders to the most permissive setting, 777.
This allows hackers easy access. Don’t do it.
Most servers have good default permissions so they should only be changed if absolutely necessary.
2. Wildcard Indexing
Most Web sites have a folder where they keep their images, audio or other non-Web page files. But what happens when you visit the root of the directory (IE: yourdomain.com/pics/)?
If you get a server error (either 403 or 404) you are in good shape. If you see a list of the files in that directory, you’re potentially opening up the server to leeching, hotlinking and even exposing more of your directory tree.
3. Out of Date Software
You’re responsible for keeping the applications you install up to date.
If you can’t do this, you’re exposing your site to a variety of attacks: database injection attacks, password hacks and more.
Update your software regularly. If WordPress is telling you it’s out of date, do something about it.
Any number of disasters can strike your server at any time, wiping out your data. Having your own backups is important; relying on your host is never a good idea.
If you run a database-driven site (eg, WordPress blog), much of your site content can be backed up using a plugin or an easy database dump.
For other sites, backing up is as simple and easy as logging in via FTP and downloading everything to a folder on your hard drive.
5. Bad Passwords
If someone can guess your password, no amount of security software can protect you.
Hackers routinely use dictionary attacks to guess the passwords of various sites.
Your password should be over 8 characters long, contain a mixture of letters, caps, numbers and symbols. Your password should be easily remembered by you, but not easily guessed by anyone else.
If you need any help making a good password, visit Gibson Research Company’s Password Generator and copy a section of characters from one of their randomly-generated text strings.
Basic security is straightforward. While there is no such thing as a completely secure server, the basic steps required to avoid becoming an easy target are simple enough. There’s no excuse: do your bit and improve your security.