Basic security practices

I was planning on doing a handful of security tips for National Cybersecurity Month (October), but ended up getting some site de-hacking clients the first weekend (more on that below) and was booked up pretty solid the rest of the month too. But I also figured: you’re probably smart enough to know the basics by now (no re-using passwords, blah blah blah). I throw tips out on this site regularly anyway.

One of the hacked sites was a result of breaking some of the very basic rules:

1) A really lame password (it was the name of the hosting company, if you can believe that!)

2) Though the live site was entirely in html (essentially plain text files, not as prone to hacking as PHP, Javascript, and other languages which when coded badly can leave gaping security holes), there was a gallery application written in PHP which had been abandoned – but was still discoverable and reachable by hackers – and which had not been updated in 4 or 5 years (40 or 50 years in Internet dog-years).

That means that it was a very likely attack vector. Tip of the day: Don’t leave old versions of your site “stored” on your live website, unless you actively keep them updated too!

3) The hosting package was the cheapest level available. This means that the hosting company crams as many small websites on to a single server as they can possibly fit. The software running those sites is quite often not kept up to date, and because of the way this kind of shared hosting is done, once a hacker gains access to one site on the server they can often attack all the other sites as well.

So the site could have been hacked by directly guessing the password, through out of date software on the victim’s site, or through out of date software on another site on the same server.

The good news: less than 2 hours later it was cleaned up.

Stay safe out there!