Hacker
There are some simple steps you as a wemaster can take to protect your website from potential hackers. Most sites including this one are powered by PHP & MySQL a programming language and a database software based off of SQL. Most sites are on a lnux box (server) and have a WHM/CPanel backend. 99.9% of sites have ftp allowed. So we are going to use that info above and work off that.
There are a few types of hacking that should be prevented and here they are.
Server Hacking
If you get your server hacked it’s most likely due to a known software vulnerability. Software manufacturers and hackers have a daily game of cat and mouse. The hackers find holes, the software people apply patches. If your server is not updated regularly (i’d suggest monthly) then you are putting your server at risk. I personally like to rent servers and have the companies harden and then keep my software like php and apache up to date. I’m just not experienced in this area, most people aren’t, if that’s the case you need to go with managed or at least partially managed hosting.
SQL Injection
SQL injection is when a hacker attempts to run sql commands on your website via your webpages.
This is usually attempted by changing the variables in the url and or adding to it.
An example of sql injection would be changing a url like http://somewebsite.com/view.php?type=red to something lke http://somewebsite.com/view.php?type=red and where type=blue or even worse
http://somewebsite.com/view.php?page=2&type=red’;delete * from table;
The first one is an example of a standard php page that grabs variables from the url. It tells the mysql to select only red items. The 2nd version of the url view.php?type=red and where type=blue is an attempt to tell the sql to also show blue items. The last version is very bad. view.php?page=2&type=red’;delete * from table; Means the hacker is trying to delete the table in your database. Not good.
So how do you prevent this? Filter Input & Filter OutPut using preg_match and regex. The following command will work.
$type = preg_replace(‘/[^a-zA-Z]/’, ”, $_GET[‘type’]);
That will tell php to take the variable $_GET[‘type’] and delete anything that is not a upper or lowercase letter. Similarly [^a-zA-Z0-9] would delete anything that was not a number, or letter from the url. Both of these would negate the table delete attempt.
All of this sound really confusing? Well that’s ok it is rather complex, that’s why most webmasters use some sort of open source content management system like wordpress, or drupal. If this is the case make sure that your software and software addon’s are up to date.
Also, and this is very very important, make sure register_globals = off. If you don’t know what this is ask your hosting provider if this is off. It most likely is by default.
Password Cracking
Password Cracking
Password cracking is the “art of” (or lack there of) attempting to guess a persons password through some means be it software or brainpower. The password could be the cpanel password, the ftp password, the admin cms password, the whm password, a .htaccess protected area password, and so on. The best solution here is to change your password often, and make sure your password is at least 8 characters long and preferably containing a number and or special character. If you want a free online password generator they have one.
Uploading Malicious Apps
Uploading
This one is pretty common as well. If you allow persons to upload files to your website then you are taking a big change. There are tons of php directory management all in one tools that hackers can upload to your site and then use to edit, or delete your entire site. Let’s say you have a custom site that allows users to upload their pictures as an avatar. A hacker could upload a php file there. So the most common practice is to limit the file extensions that are uploaded. But even if you only allow jpg, gif, and png a cunning hacker can just rename there tool.php tool.php.jpg and if your software only checks to make sure it ends in a .jpg, .gif, or .png . The app will still work. That’s why i suggest and most people do rename the file automatically. An auto rename of tool.php.jpg to something like 12323423.jpg will defeat that attempt. Check out the php rename function.
Defacing
Defacing
When you allow users to input or edit your sites content you open your self up for defacing. This could also be considered spam. When someone post ads about mexican horse viagra for me on 300 pages of your forum that’s defacing, and annoying as hell. For this one sadly there is very little you can do. The best you can do is to implement a captcha or re-captcha this will stop the bots that auto post on forums and blogs and any such forms that take user input. Most spam or defacing of this sort is done by bots. You will not be able to prevent human users from posting spam, you can filter the input using that preg_match we used in the sql injection part, That would break any links submitted and disable image embedding and link embedding. If you want to turn in a spammer or a defacer do it at Spam-Ip.com
software wordpress
Most webmasters now days use a content management software like drupal, or wordpress. If this is the case you must make sure your cms software has all the lated bugs and fixes. I used to use PHP-Nuke it was the original cms back in 1999 or 2000. But it was notoriously hacker friendly and had more holes than a sponge. I can’t tell you how many times that I’ve had a php-nuke site hacked. So make sure your cms is good, and up to date.
OK, so that’s all the info that is in my head on how to prevent hackers from compromising your data. Hope this helps keep you guys safe, be sure to bookmark this page and tell your friends too. Thanks for reading. Please post your tips below.