How to Prevent "My Site Got Hacked"

It seems to be appearing more and more these days where you'll find sites showing up in Google's search results as "This site may harm your computer". It really is great that Google and Firefox have included this feature so that random users don't stumble upon sites that have potential infections waiting to be installed on their machine. How does the average website owner prevent this kind of warning from occurring on their website? And most importantly how did it happen in the first place?

How are they breaking in?

I personally work for a hosting company, and as such I see a lot of the trends or methods used for breaking into websites. Currently it appears as though the most common methods of attack are as follows:

1) Poor security practices: Weak passwords, unused scripts running, forgotten accounts left active. Users have a hard time remembering passwords so they choose something very easy to remember, but also very easy for malicious users to guess or brute force.

2) Stolen FTP credentials: Using an infected computer to connect to your website via FTP can just be giving away your logins no matter how difficult your password. Spyware, key-loggers, traffic sniffers, etc.

3) Security holes in popular software: Running CMS software such as Wordpress, Joomla, Drupal, etc. or running forum software, as in phpBB, vBulletin, or even eCommerce software, such as X-Cart, Magento, OSCommerce, are all subject to vulnerabilities. Many of the times the developers of such systems have a fix out very quickly for a found vulnerability, but website owners at times don't understand the importance of implementing the patches. As the vulnerability is now made public, a road map for hacking your site has now been released to malicious users.

4) Poorly programmed "in-house" software: Web developers that either make mistakes in their own custom scripts, or that don't revisit the scripts they write looking for potential openings, can be subject to hacking attempts. This last method is probably the least used since it requires more work on the malicious users part, although it is still a potential issue.

In 2008, it seemed that the most popular method of malicious users gaining entry into the accounts that I provided support for would have been number 3. It was so common for website owners to just not want to invest the time and money into keeping their website secure. Currently, in 2009, the trend appears to be attacks through FTP. And the most common method of entry is either number 1 and 2 above.

It's actually difficult to determine which of the two methods is the most common. There are times when I talk to a customer that has had their site infected, and when asking them what their FTP password is, it is commonly something very simple. Responses such as "password" or "letmein" are often heard. But just because these passwords are simple and easily guessed doesn't mean the malicious user found it purely by guessing. It is possible that the website owner's computer was infected, and the login details were sent off to the malicious user after the website owner used them to connect to their site.

What can be done for prevention?

The two most common methods of breaking in revolve around FTP and your password. So the solution can be two parts. First and foremost, change those passwords. Using something a little difficult to guess is kind of a no brainer. Remembering the password yourself might end up being a chore at that point. To fix that try one of the following:

1) Use password management software. There are programs such as TK8 Safe (Windows), or even Data Guardian (Mac and Windows), which can store passwords in an organized fashion and encrypt the file that stores them. You only remember one password, the program remembers the rest.

2) The low tech method is pretty easy. How did you remember things back when you were in school? Study? Try writing the password down for 5 minutes every morning until you remember it, or even just typing it into your computer for 5 minutes every morning. Put in the time for repetition and your brain will do the rest. (Don't forget to shred your study sheet)

Secondly, you need to deal with the chance your computer is infected. There are lots of programs and anti-virus software out there to clean up your computer. This doesn't always ensure that you are protected though. Using FTP in itself is sending your password over the internet in plain text. If you are infected the spyware probably isn't hunting your computer for information or passwords, it's more than likely just watching what you send over the internet and snatching up what it can. So stop using FTP. Instead use sFTP, or "secure FTP", also known as FTP over SSH. In this method everything is encrypted, not only your login but everything you do between your computer and your website is encrypted and safe.

If your hosting doesn't support SSH or sFTP, find one that does support SSH. Most VPS solutions offer SSH by default, there is nothing to turn on, all you have to do is choose to use sFTP instead of the previous FTP that you have been utilizing. Other hosting accounts offer it as well, but you may have to request it, or turn it on from within your hosting control panel. Take the time to talk to your hosting company and get your account set up the way you need.