Knowledgebase: MANUALS / GUIDES
SECURITY TIPS - Website Defacement Alert and Guide [INFO]
Posted by on 27 December 2011 10:41 AM

 

Dear Customers,

We believe there are a few web defacement issues which had happened recently and affected some of our Shared Hosting customers. We understand that it has caused a great impact in some of your accounts. Hereby, we would like to use this opportunity to educate our customers on managing their web sites so that they can protect themselves from minimal external threats.

Kindly refer to the guideline below to learn about the preventive measures for your websites against being hacked or injected. It might take you some time to complete reading the steps but it will surely help you in managing a safer site.

1. CMS Files Permission

Don’t take for granted that your open-source web applications like CMS are 100% safe. All software have issues and mess ups or security holes. If a CMS has a security flaw, hackers will find them at some point in time.



2. CMS Application Security Updates

Do not forget to keep yourself updated on security holes in your CMS. Most open-source systems release updates on a regular basis. However, not all systems check for updates instantly and some can’t install them automatically. Keep yourself updated by joining mailing lists or following Twitter accounts of those services.



3.  CMS Application's Admin Login

Do not forget who is accountable for updating your CMS. Maybe you have used your hosting suppliers' 1-click installer or perhaps your web designer has installed the CMS for you. But do they update it for you? Rarely. Keep in mind it’s your responsibility that your CMS is updated with the newest security patches. Alternatively, you could outsource the task to your webmaster, website development expert or website designer.


4.  CMS's Notification & Alerts

If your CMS do give you update alerts, don’t neglect them! Systems like Umbraco and DotNetNuke have a function that checks if for updates available when you login. A system like WordPress also checks for updates and by a few clicks in the admin you can update your CMS very easily (don’t forget to backup before you update). Take the update alert seriously and update straight away.


5.  CMS's 3rd Party Module and Application - Security Issue

Don’t forget to update third party modules. Other developers than the open-source team could have developed the modules on your CMS. These modules can also contain security issues. Just as you have to have an update on the CMS, you also need to update the third party modules your CMS uses.

 

6.  Webmaster or Site Developer

Don’t forget to team up with an expert or supporter. Keeping your system up-to-date can be difficult and laborious. If you team up with a consultant who is used to updating your kind of open-source system, you are able to save valuable time and concentrate on running your business. You can pay him monthly and he is going to make the updates when available, or you can pay by tasks.


7.  Password Login Policy

Do not forget to have a robust password policy. This is really the biggest reason why hackers get access to systems - weak passwords. Try to make long passwords, at least 8 characters with both numbers and letters. Do not use your name or zip plus city. If you find it hard to remember long passwords, attempt to make a sentence with a number, and then use the 1st letter of each word to make a password. E.g. “The Rabbit jumped over 4 Stones and 7 Flowers” makes the password TRjo4Sa7F


8.  Database and Backup

Do not forget to backup your full system (both files and database) – constantly. You take for granted that your hosting supplier backups everything. Well, they do, but mistakes happen even at the largest hosting suppliers. Also the hosting suppliers' backup history is maybe only a couple of weeks long. If your system gets hacked, the very first thing a hacker does is leaving a backdoor. After weeks perhaps months he returns and defaces the homepage. When your hosting supplier revive your system from the newest backup the hack seems to be resolved on the surface, the backdoor is still there. If you choose a free open-source CMS for your homepage,  remember that it does take some time to upkeep and update it. Outsourcing this part might be a brilliant idea.


9.  Malware, malicious scripts in Free Templates

There are many sites that offer Free Templates for CMS software such as Joomla and WordPress, but what you may not know is that some of these sites have hidden bits of code within these templates that are malicious. In some templates, you will find links in the footer that are not so friendly and you can’t remove them because it’s part of the agreement set by the author in order to use the template.

Steps need to be taken:

a)  You must keep the footer intact in order to use the free template. The problem is that the links in the footer may go to web sites that have a low or poor reputation. If theses links don’t have the no-follow attribute, you may find your site in a bad neighborhood. This is very bad in Google’s eyes and could put your site in the blacklist.

b)  Base64 code found in the theme template is dangerous, because this code is encrypted and in many cases Base64 is often used to hide malicious code. In addition to malicious code, it can also have links that go to dangerous websites. But if you remove the Base64 code, your theme will stop working.


If you have any further queries on this guide, feel free to get back to us by submitting a support ticket to http://247livesupport.biz
Thank you.


Regards;
247LiveSupport.biz Support Team


Copyright © 1998 - 2018 Shinjiru International Inc. All Rights Reserved.