Website security
What is website hacking?
Your website can be considered as hacked when a person got unauthorized access to your website data.
Why sites get hacked?
There can be different reasons to hack a website. The sites can be hacked to infect the computers of the visitors with viruses and malicious software. Also, the site can be hacked to use your domain email address to send spam. Another way to use the hacked site is to place buttons or links that lead to scam websites or initiate a download of viruses to your PC. In addition, hackers can ‘steal’ your website and then blackmail you. If your website is quite popular, competitors may also hire hackers just to erase your files or make your website unavailable for some period of time.
Hacking methods and ways to protect your website
FTP and/or hosting account password theft
We don’t recommend to give access to your hosting account at all. It is better to give only the FTP login credentials. Moreover, lots of control panels have the possibility to create users with different access level. So, in case you need to provide someone access to your files (for example, to your webmaster), we recommend to create a user with limited access rights.
How to avoid FTP and hosting account password theft?
Try to avoid providing your login credentials to third-parties. In case you need to provide these details, make sure that the person is trustworthy. Though, we still recommend to provide only access to FTP-client or to create a separate user with limited access level. Also, make sure that all of your passwords are hard to guess, contain different symbols, letters and digits.
Hosting company security breach
It is possible that a security breach may occur but it happens very rarely. Most of the well-known companies treat security seriously and thus, we recommend to use their services rather than a newly established or unchecked company.
How to avoid such situations?
Choose reliable hosting providers that have lots of customers worldwide. You can check our footer to find the hosting that suits your needs. Also, you can find the rating of the providers with the best price-quality ratio here.
CMS hacking
It does not matter whether the CMS is free, paid or custom-built. If it is a popular CMS, hackers will definitely try to find some vulnerabilities that will allow them to hack thousands of websites at the same time. However, this triggers the opposite process: the more people try to hack the CMS, the more secure it becomes with each release.
Another way a hacker can get access to your CMS is through various extensions (plugins, modules etc) downloaded from third party websites. They may contain malicious scripts.
How to avoid CMS hacking?
Make sure that your CMS is up-to-date. Download both CMS and it’s extensions only from the official website. You can find lots of free extensions there. In case you have a custom-built CMS, you will probably need to conduct a security audit from time to time. This service is quite expensive. Moreover, it is hard to find a decent and trustworthy audit company. So, the only thing you can do is to research thoroughly before ordering such kind of CMS, read customer reviews and then decide whether it’s worth a try. By the way, you can check our articles about Joomla and WordPress security on our website.
File permissions
File permissions can be represented as numbers or symbols. Basically, all of the files can be read, written, and executed. Each of those actions can be allowed or denied, with various degrees of specificity, which is what permissions are for. For instance, in case a file has permissions' value of ‘777’, it means that anyone can read, write or execute this file.
How to configure file permissions correctly?
Set up the following permissions values: 755 - for folders and 644 - for files. We also recommend to double-check this with your hosting provider, experienced webmaster or CMS developer before you changed the permissions of your files and folders in order to avoid any issues. You can read more about file permissions in this article.
SQL-Injection
Nowadays, most sites use SQL databases for dynamic page generation. This process is realized by means of SQL-queries. That’s why any hacker can modify the query and place malicious code in it via web page input. This is called an SQL-injection.
How to protect your website from an SQL-injection?
First of all, we recommend to use a secure CMS. Additionally, if you have some experience in programming, it is possible to validate SQL-queries. For instance, you can use the PHP function mysql_real_escape_string that removes malicious code from the query.
Cross-site scripting (XSS)
This is a type of vulnerability typically found in web applications. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. Basically, if the website is hacked in this way, the hacker can gain access to any visitor’s login credentials. The visitor will not even see the difference as the website will look and work completely normally.
How to secure your website from cross-site scripting?
Unfortunately, it is quite hard to secure your website from these attacks. Even popular websites such as Facebook can fall under XSS attacks. We advice to use a secure CMS and hire an experienced system administrator to ensure your website security. If you cannot afford a webmaster at the moment, remove the registration form from your website to avoid sensitive data being stolen.
Computer viruses
Yes, viruses are still popular and can harm your website. If your PC is infected, there is a possibility that your control panel login credentials were already stolen.
How to protect the website from PC viruses?
First of all, do not save your password in your browser or in a file on your PC. Secondly, install an antivirus and run a security check on a regular basis. And don’t forget to update it as often as possible. We also recommend to use Unix systems, they are more secure.
Don’t download and install suspicious software, don’t click on any links and don’t download any attachments in an email sent from an unknown email address.
Advice
- Scan your sites for viruses on a regular basis. You can find detailed guidelines here.
- Backup your sites as often as possible (once a day would be enough).
- Save log files on a regular basis because hosting providers keep log files for about 2 weeks and then erase them. They contain information about all of the queries that are sent to the server. This may help to locate an unusual login, i.e. when the hacker attempted to gain access to your website.
- If you have an e-commerce website that supports any payment system, make sure that you either use an SSL-certificate or connect your website to an external payment system.
- Double-check what security features and tools does your hosting provider offer. Most hosting companies take security of the customers seriously and offer lots of different free tools that are available in the control panel or are included to the package.
- If you hired a webmaster to develop your website, make sure that one of his main tasks is to secure the website from all sorts of attacks and vulnerabilities. To ensure that all of the security issues are fixed, ask another webmaster to try hacking your website. It may seem a bit overprotective, however, these actions can guarantee that your website and it’s visitors data are protected from malicious software and security breaches in general.
We highly recommend not to purchase the cheapest hosting package. Usually, they come with a row of issues: the server is often down, the hardware is outdated, lousy and slow support, registration and payment errors, etc.
For your convenience, we have created a tool that can help you to choose the right hosting package for you just by answering a few simple questions.
CMS is a content management system. A lot of hosting providers offer so-called CMS optimized packages. However, this is a marketing trick because most CMSs do not have special software or hosting requirements.
Trial period is a period of time, usually from 7 to 30 days, during which you can use the hosting services for free to test them.
Moneyback policy allows the customer to receive a refund for his order within a certain period after the purchase.
OS means the operating system is installed on the server. We recommend to choose Linux hosting unless your website requires another OS.
Bulletproof hosting - it’s a type of service that allows to host almost any type of content, even the restricted one (adult content, warez, spam etc). Bulletproof hosting providers do not remove your content in case someone reports an abuse.
Unlimited hosting - refers to companies that provide packages with unlimited disk space, bandwidth, number of domains, databases or email accounts, etc. This is usually a marketing trick but sometimes you can find something worth a try.
Secure hosting - it’s a type of service when the hosting provider is mostly responsible for the security of the user’s account: updates the software installed on their servers, provides an antivirus and malware scanner, firewalls and basic anti-DDoS protection, etc.
DDoS-protected hosting - companies that provide packages that include anti-DDoS protection. These packages are considerably more expensive than regular ones. Nevertheless, they’re totally worth their price because the company will ensure that your website is secured from cyber attacks.
Most websites require MySQL and PHP installed on the server to work correctly. Almost all hosting providers support these technologies.
ASP.NET is a Microsoft web application development platform.
The more comfortable the control panel is, the easier will it be for you to change the website and hosting account settings.
Most hosting providers that are in TOP20 in our rating offer user-friendly control panels, such as cPanel, Plesk or DirectAdmin. That’s why we recommend to pay attention to other, more important parameters, while choosing a hosting provider.