Hackers are the scourge of websites. If the medieval ages were plagued by the laundering of hordes of pillages, today’s cyber world is afflicted with the exploits of cyber criminals of various hues having a free run and wreaking havoc on websites. In most of the cases, the website owners or site administrators remain mute spectators or do not even realize that they are being hacked until the hackers get away with personally identifiable information of visitors, trade secrets, intellectual property or whatever else they are after.
Google identifies 9,500 malware-infected websites a day. Around 4,000 of them are legitimate websites compromised by hackers.
Being hacked is a triple-whammy for websites—they stand to lose significant data stored in their database; are at the risk of being held responsible for the losses suffered by their customers or other people whose details have been hacked; and they stand to lose considerable traffic and business as Google and other search engines blacklist them as infected! The warning, “This site may be infected” is enough to scare off most users.
Hackers compromise websites by exploiting vulnerabilities. A majority of the hacked websites belong to individuals or small businesses that have neither the resources nor the expertise to invest in top-grade security. However, making the website hacker-proof has more to do with getting the basics right than spending a small fortune. The following pointers help:
Disable AnythingThat is Not Needed
Most of the time, hackers exploit vulnerabilities in the website code to install CGI scripts that do their bidding on the server. If the server does not have the CGI scripts installed, then there is no way the hackers can pull this off.
In fact, it is a good idea to turn off everything that is not required for the code to run. This may include php, webmail, perl, asp, etc. depending on the actual code requirements. Turning off anonymous FTP prevents the hacker from accessing the code to study the potential for an exploit.
Hackers exploit vulnerabilities because the code or the applications have vulnerabilities in the first place. Almost all software vendors release patch updates on a periodic basis to fix the vulnerabilities discovered. Outdated versions of software ooze out vulnerabilities and form a happy hunting ground for hackers. Regular patch updates of the operating system, antivirus software, and all major applications make the job difficult for the hacker. It is also a good idea to hide the software version numbers from public-facing pages whenever possible so that the hackers cannot find out if the server runs an outdated version.
The password and the firewalls are the basic security layers. Although passwords are much maligned of late for their ineffectiveness, strong alpha numeric pass phrases can thwart the common password cracking techniques such as dictionary attacks and prevent the hackers from logging in to the servers.
A properly configured firewall is similarly effective to guard the server as it acts as a gatekeeper to the server. Configure the firewall with a white list so that it allows in only those programs that are required to run the website and only traffic coming in from approved port numbers.
The key towards a sound hacker-proof website is working under the assumption that hackers are about to hack it any time and taking whatever measures possible to thwart such an imminent move.