Pickaweb invests constantly in server security and resilience to ensure that our servers are protected, up-to-date and fully secure.
However security is the responsibility of everyone. We have listed some website security recommendations below which we have written very much from a non-technical perspective so that anyone can understand and protect themselves and their website from malicious activities.
Just to try to put this into perspective please consider the following analogy. Imagine that Pickaweb is a large apartment block. We ensure that the front doors and any other entrances are fully secure. We also ensure that all facilities are up to date, safe, functioning correctly and are in accordance with regulations and best practice. However, we do not control what happens inside each apartment room within the block. If you consider that the apartment block is a server and an apartment is a web hosting account.
Below we have explained how you can protect yourself by ensuring that you maintain the same level of high security as we do in your web hosting service.
The first thing to bear in mind is that whilst it is worrying when you discover that you have been hacked you should not feel that you have been targeted or that you are the victim of a concerted effort by a third party to damage your business. It is usually an automated attack as opposed to targeting you specifically.
As we explain below hacking usually occurs because of website vulnerabilities and it typically consists of 3 phases:
1. Identify Targets: Hackers basically use tools to scan the internet looking for vulnerabilities
2. Upload Malware: Once a vulnerable site is identified they automatically upload their malware to the hosting space
3. Execute Malware: Once uploaded these files will then proceed to perform whatever tasks the hacker requires
Once uploaded & executed the Malware can then perform a range of malicious activities including Spamming (sending bulk emails), Phishing (creating fake bank websites), downloading sensitive data (credit card details) or for Denial of Service (co-ordinated attacks using thousands of computers to disrupt access to a target website).
Essentially there are 2 ways that your account can get hacked & malware uploaded:
1. Web application vulnerability
This happens when one of the web applications you use in your website has a vulnerability. Most web applications have a live subscription service which lets the users know of a security issue or an upcoming upgrade availability. If this facility is not used by web application users, a vulnerability might be not known, and hackers can use that to upload malware to your site.
2. Account password disclosure
This happens when one of the machines you used is infected by a Trojan (a type of virus) or the net connection that you used was not protected by encryption. This allows hackers to collect login details to a valid web hosting account. Once they have the login details to manage your account, they can modify any file in your account or upload any malware (i.e. malicious files) at will.
What action can you take?
There are a number of actions that you can take very quickly which can have a dramatic effect on improving the security of your website. We have categorised these under 2 headings – securing your hosting space and securing your PC.
A. Securing your Hosting Space
A.1. Check that any applications or scripts that you use are using the latest version
If you run an application like WordPress, Joomla or Drupal for your website blog or an E-Commerce application then you should always check that you are running the most up to date & stable version. The reason that these types of applications are updated from time to time is to improve security as well as to increase functionality so it is vital that you stay up to date.
This also applies to PHP scripts such as contact forms. These types of applications & scripts are susceptible to attack from hackers & they will usually automate the identification & exploitation of them. It is not that they have necessarily targetted you as a person or as a business, but the tools that they use have identified that you are running an out of date (& therefore vulnerable) application.
If you are unsure, just google the application & latest version, eg: “Wordpress/Joomla latest version” & you will quickly discover which version is the latest that you should be using.
To find the latest version of the Application or script that you are using you just need to login to the admin area. For tools like WordPress & Joomla there will usually be a button telling you that you need to update your application & a one click update button. If you are unsure you should verify with the Application vendor/supplier.
Once you know the version, go to Google & type “ENTER YOUR APPLICATION HERE vulnerabilities”. For example, if you are running Zen Cart version 1.3.8a, type “Zen Cart version 1.3.8a vulnerabilities” & you will be presented with known issues & vulnerabilities that the hackers can exploit. These issues are in the public domain, so for a hacker they just need to automaticallysearch for websites that run that particular application & check to see if that vulnerability is open to them.
A.2. Also check any plugins that you use are also running the latest versions
Don´t assume that just because you have updated the main application that everything is safe & secure. These days many applications like WordPress, Joomla or Drupal have extra plugins which provide extra functionality but which are separate from the main application. You must also check that you are running the latest version of these plugins & that they are also compatible with the latest version of the application that you are running if you have updated that (see point 1 above).
A.3. Review your websites files & remove any suspicious files
Performing a quick check of your website´s files should help you to quickly identify anything suspicious. Look for things with suspicious sounding names like “barclays”, “paypal” or “hsbc”.
A.4. Perform regular audits of your hosting to remove out of date programmes, databases, applications or files
Remember that database you set up years ago to do some testing? You may have forgotten it but the hackers haven´t! As we have seen above it could just be a tempting entry point for their malware so by removing any old applications or databases that are no longer needed you will be closing an open door.
B. Securing your PC
B.1. Make sure that your PC is secure
This may sound obvious but so many times people overlook the need to protect their own PC. Malware can access your website in a number of different ways so it is vital to stay up to date. The thing is that many people will assume that just because they have an anti virus tool that they are protected, but there are extra steps that you should take such as:
> Ensuring your Operating System is up to date
> Keep your browser (Explorer/Firefox), plug ins, anti virus definitions & other applications/programmes up to date. Use the automatic update feature where possible.
> Invest in a good quality Security Software for your PC – it is tempting to go for freeware, but does it really offer the full protection you need? Try to find software that has been independently reviewed rather than basing your decision on the vendors claims
> Run through the list of applications installed on your PC & remove any that you no longer use or which are no longer supported by the vendor
> Observe caution when surfing the net or when opening emails or attachments
Obvously this list is not exhaustive but it is a good starting point. Security is not a static subject. It is always moving and it is everyone´s responsibility to try to stay ahead of the game.
B.2. Check that your network is secure
Nowadays the use of portable devices and increasing use of phones & tablets to access the internet means that wireless use is growing dramatically. This represents a massive temptation to hackers. If you do connect to a wireless network either at home or when you travel (hot spots) please take care to ensure that a) your device is fully protected & b) that the network you are accessing is fully secure & encrypted using the correct protocols (WEP or WPA). If you are unsure it may be better to delay accessing the internet until you can be sure that you are on a secure connection.
We hope you have found this technote useful on website security recommendations.
Thanks for reading and leave your questions below to keep the conversation going.