As we discussed in the introduction of the last post hacking of sites is a common event. Everyday thousand of sites running on Wordpress or Joomla or other CMS systems get hacked by bots that crawl the net to find such sites that have unpatched vulnerabilities or have weaknesses. Even if the site does not have vulnerabilities or does not use a CMS even custom coded sites are attacked by XSS attacks. Most of the people do not pay attention to details or take preventive methods until their sites are hacked but by then it is too late.
Hence in this post I want to share with you some steps or precautions that each site owner can take to prevent hacking of their sites. Remember a hacked site is not just an inconvenience, it brings bad reputation to your brand. Most of my recommendation will be based on the assumption that you are either using Joomla or Wordpress the two largest used CMS systems in the world but will be applicable to custom coded sites as well. I will try to out specific remarks wherever possible.
- Try to go static : If your site is not going to be updated very frequently or there is not much content that is needs to be managed, try to go for conventional html/css/js sites with minimal scripting. You will only need to script the contact page. Not only will the site be less prone to attacks, it will be faster than a scripted site. I know you will forgo the convenience of using a CMS but you need to make sure that if you really do need a CMS. In case you feel the need for a convenient system you can also go for a static site generator like Jekyll. This site uses Jekyll and is hosted on github.
- Always stay updated : Wordpress and Joomla and almost all CMS release their updates both major and minor updates from time to time. Most of the site owners do not bother to update the sites as they are content with the fact that ‘the site is working as they want’ but what they fail to realize the included in these updates are patches to vulnerabilities and weaknesses that hackers then exploit to hack your site and inject malicious code into your site. Running an older version of CMS is the same a leaving your house unlocked when going for a vacation. It will attract robbers.
- Avoid Free Themes : As they say ‘_There’s no such thing as a free lunch_’, similarly there are no such things are free themes. I am not saying that all free themes are bad but you need to ensure that the source of the theme is reliable and can be trusted. Stay clear from ripped/nulled themes as much as possible as it is a common practice for hackers to inject malicious code into other wise paid theme and offer them as free downloads on warez sites. Again not warez sites are but user discretion is required.
- Use trusted plugins/addons : Similar to the theme argument always go for plugins that are commonly used or have a good general feedback. Avoid downloading nulled/cracked plugins downloaded from shady sites. In my opinion to spend a few dollars to buy a genuine plugin is much better than exposing site to hackers.
- Use strong passwords : I dont think this point requires much explanation yet it needs to me mentioned that you have to take care that you use a strong and different password for your site and database. Also if you are running several sites on a single server try to ensure that the passwords are not reused across sites. In that case if one site is hacked atleast rest of the sites will be safe.
- File Permissions : This is kind of an advanced concept for most of the layman users but it is important that proper file permissions are set as recommended by the CMS site. The most common mistake that a lot of people do is keep their files writable even when they dont need to be. Exploiting this weakness the hackers are able to update the files and inject their malicious code. The most common and irritating kind of attack with Joomla sites is the one where the bot recursively injects hacking code into every single php file of the site. It is a real mess when this happens and you definitely dont want to get into it.
- Harden your server: In case you are running your own server or VPS or dedicated server it is important that you have taken preventive measures to make sure hacking does not take place. Always run the latest version of the OS that you are running and make sure that you apply all the updates soon after they are released. Make sure only necessary ports are open and do not install any random / unreliable scripts. This is a particularly good resource in that terms
- Use reliable hosting solutions : In case you are using a shared hosting make sure that you use a reliable host with a good reputation and a faster response time. The issue that you can face with such a case is that these servers are shared by numerous other sites and no matter how many steps you take if any of the sites that you share a server with gets hacked you also get into the danger zone. So it becomes important that you work with a hosting provider that acts quickly to such events.
- Take periodic backups : I know this is not actually a preventive method but it is important that you take regular backups of the site just so that it can be backed up in case something ever goes wrong.
They say ‘Prevention is better than cure’ and I agree with this saying. Remember fixing a hacked site is a far more tedious and expensive task than simply preventing the hack. Trust me , I am saying this based on my own experience.