Website Security Checklist
Keeping your websites secure is not just about protecting it from destruction.
What is even more important, is protecting the people using your website.
If your website is destroyed, it is not that hard to rebuild.
(You make backups whenever you change anything, right?!)
But if your website hurts people, there's no way to undo it.
The majority of the attacks i have helped with, have involved malicious code
on a website which did bad things to the visitor's computer.
And the bad code got on the website pages because of "easy" passwords,
and Windows viruses.
Most website hacks start with a stolen password or virus on the admin's computer itself.
Therefore, the security advice below starts with you and your computer.
In fact — it's two-thirds of the page!
If nothing else, do the 20% thing that takes care of 80% of all hacking:
Use strong passwords!
Your computer
Keep your Windows computer free of malware (viruses, trojans, etc.)
These bad programs do things like:
-
Capture passwords that you type and send them to the hacker.
-
Capture passswords from email and send them to the hacker.
-
Inject virus into html pages you are making.
When you upload the page to your site, the virus runs on other people's
machines and infects them.
-
Use the Secunia online vulnerability scanner to make sure your software is up-to-date:
http://secunia.com/vulnerability_scanning/online/?task=load
-
Download anti-virus and fully scan your PC for malicious files.
Here are some free online scanners for Windows, which is typically the most vulnerable to infection. If you have a different OS, there are similar programs that can be located and run on your system to protect it in the same way:
-
Make sure your antivirus program gets the new database and version releases.
2. Or use Linux (such as Ubuntu) and you can skip the whole section above!
Your general accounts, programs, and emails
Passwords
-
Use strong passwords.
This is the number one thing you can do to protect your email, web accounts, websites, everything.
Good ideas for secure passwords:
http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords
-
Update all passwords for any account that you access/own that may not be up to standards.
-
Don't send passwords or login information in email!
Use skype, yahoo msgr, or sms only.
Especially since the keylogger virus on your Windows computer,
and/or the hackers on your unencrypted email connection,
probably already have the domain and the login!
(I never even use the words p**d or l*g*n in any of my emails, to anyone ...)
Access your email, website cPanel, file uploads, or CMS admin, securely
-
If possible, never access these from a Windows computer at all.
But specially when you are changing an admin password.
-
If you have the option to use 'https' (secure, encrypted connection) rather than'http',
do it.
(To find out, just try accessing your cpanel or admin with https instead of http,
and see if it works. For example: https://www.mydomain.com/cpanel )
-
If you have the option to upload your files with 'SCP' (secure, encrypted connection)
(with a program such as WinSCP, or SFTP in Filezilla)
rather than 'FTP' (with a program such as Filezilla), do it.
(You will have to have "shell access" enabled to do this.)
Don't click on links in email
-
An account email that is truly from the account site (like Yahoo or Gmail or a bank)
will never have you click on a link to login.
Always go directly to the website to log in.
-
If you want to go to a link in an email, copy and paste, or type, the url into the browser.
-
If you want, you can check suspicious links you are given in emails or find online:
http://www.avg.com.au/index.cfm?section=avg&action=onlinescan
or
http://OnlineLinkScan.com/
(Personally, i don't bother. There are so many more useful things to do!
I just don't click on links in email.)
Don't open attachments in email
-
It is very rare that anyone sends you any information that is important or useful,
that couldn't be just plain text.
(I have not yet seen a MS Word file that couldn't be just plain text. MS Word is to viruses
like candle flame to a moth!)
-
When you need to transfer graphics files, PDFs, etc.,
-
Use a "dropbox" site such as
-
If someone didn't tell you they are going to send you an attachment,
don't even waste your time with it. Delete it.
It is not enough that "I know this person". How do you know it is really
that person that sent you the attachment?
-
Download attachments and scan them before opening;
or use your mail client's virus scanner.
Your web browser
-
Don't use Internet Explorer for any site requiring a login.
Mozilla Firefox, Google Chrome, Safari, are excellent browsers that are not
so wiiiide open to attacks.
-
Make sure you always have the latest version of your browser.
-
You can have your browser subscribe to Google's Safe Browsing API
http://code.google.com/apis/safebrowsing/
And finally ... your website/cms itself!
For all websites
-
Backups: Make backups. Early and often.
-
Unused logins:
Check your hosting account, cPanel login, ftp users, CMS users, databases.
If not being used, delete them -- they are just waiting to be hacked.
-
Check your website for malware with online tools:
-
You can even try testing an attack on your website with programs you run from your computer
Programs and/or databases on websites
If there are any programs installed on your site, such as PHP form scripts, or javascripts:
-
Just because some technical person made them, does not mean they are their responsibility.
-
Just like when a workman does electrical work at your house —
you may not know as much about electricity, but the final result is still
in your house, and is ultimately your responsibility.
-
Know who made the program or javascript.
Keep in touch with them, make sure they are updating it for security.
-
Know what it is for, what it does.
-
If it is not being used, delete it.
-
If the nice Inji who made it has gone away and not in touch any more,
and didn't leave info with someone else on how to take care of the script
— delete it!
Find somebody responsible to take it over, or make a new one.
-
Check any programs/javascripts on your site for security,
or know who to trust to check them.
(Examples:
Is all input cleaned before processing?
If they upload files, what are the file upload permissions?
If they access a database, is all database security code in place?)
-
Program account logins or databases.
If not being used, delete them -- they are just waiting to be hacked.
-
Program configurations:
Ensure that configurations ("config files") for a program are not stored in the web document root.
If you don't know what these things mean, that's OK!
You don't know what all the little tools of the electrician or the computer repair guy do either.
But you do know how to ask them questions, to make sure the job is done!
In the same way with websites, we have relationships with local professionals
who do these things for us. And in the same, in the end it is up to us, the website owners,
to make sure it is all done right.
If you are the programmer:
Lucky you! Big responsibility.
Here's some advice from a local security expert (Frederic of AirJaldi):
“
There is no magic bullet to [ensure] the security of a web site.
My 2 Rs, would be to stick with proven frameworks and keep them up to date,
not use random plugins written by a noob.
[such as, check everything you add to your CMS]
...
The best advice is, never trust any information coming from the client,
either from a form or from a cookie. Why should a client be nice ? Why
should he not modify the informations you gave him a few milliseconds ago ?
Always check the integrity of information sent to the server.
Never trust the browser.
”
So, programmer:
Everything you do as a programmer starts from this principle.
Never trust the browser is exactly the same advice
we got in a web security class from Randall Schwartz, Perl guru, many years ago.
It hasn't changed!
CMS website
-
Unused logins:
Check your CMS users, CMS admin accounts, databases.
If not being used, delete them — they are just waiting to be hacked.
-
Updates:
Ensure that all scripts/plugins/modules/components are updated to the most recent released version.
The main reason that new versions are released, is to fix known security problems!
-
Database configuration:
Ensure that all database configurations for your account are
-
Using a strong, secure user and password combination.
-
Not stored in plain text,
-
Not stored in the web document root.
-
Accessing database:
Do not use your cPanel username and password to access your databases for your site
(such as through PHPMyAdmin).
This may be convenient, but it introduces an incredible security risk.
-
Backups: Make backups!
-
Know your CMS: Which parts can be reinstalled, which parts make up your website content
and cannot be replaced.
-
What you need to back up is usually: First – the database! That's where your content is.
Second, your theme (template) files; Third, media uploads to the site (images, videos, etc.).
If you don't know what these things mean —
same as above!
Credits:
-
Many people shared their experiences with me making me able to build this list.
There are too many to list them all, and also
to risk the embarassment of leaving someone out.
Just know that one of them was probably you who are reading this,
and know that you are all thought of with much gratitude!
Know more
All content not copyright by anyone else is
copyright © 2003–2010 James Walker.
License for use is the GNU Free Documentation License.
Find it:
here in the
License directory
or
at the Free Software Foundation,
www.fsf.org
This content is copyright to the
author stated on the page.