Blog

How to Secure a Website From Hacking. 6 Basic Actions That Will Stop Hackers

How to secure a website
Vadim Korchinskii
Website admin since 2012

Any hacking of a website starts with intelligence, collection and analysis of information. Hackers use malicious bots, Google search engine, and brute force (searching through) of website directories and files.

Malicious bots scan the website and collect information about the Content Management System (CMS), plugins, templates and components that are installed on the website and their version. Bots transfer information to the server, where it is stored and used, to make attacks on a vulnerable script, plugin or template in the future. We’ll tell you how the bots work and how to protect the website from hacking.

The article will be useful for website owners, marketers, web developers and everyone who cares about the security of the website.

Tip 1. Do Not Store Backups in the Root Directory of the Website

It often happens that inexperienced hosting support staff, programmers and website owners make backups in the root directory of sites with a simple name such as backup.zip, site.zip, 1.zip...

In this case, an attacker can easily download archives and find out passwords to databases and other confidential information through brute force requests to the website. In the log file, the intruders’ requests will be displayed as follows:
"GET / backup.zip HTTP/1.0" 200
"GET / site.zip HTTP/1.0" 200
"GET / 1.zip HTTP/1.0" 200

To find out what vulnerable plugins, templates and modules are installed on the website, an attacker first analyzes the source code of the site. But this information is not always displayed in the source code, and then the intruder uses brute force: he sends requests to the website searching for the installation path and file names.

For example, brute force of directory JCE, a popular component of CMS Joomla, will be displayed as follows in the log files:
"GET /components/com_jce/editor/extensions/filesystem/joomla.xml HTTP/1.0" 200 1335 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36".

There is a number 200 in the log, it means that the joomla.xml file exists, therefore JCE component is installed on the website. After learning this, the attacker sends malicious requests to the component files, and if the component’s version is vulnerable, the attacker uploads a shell script to the website, through which he gets full access to the website.

How to secure your website
Do not store backups in the root directory of the website, always use complicated names for archives. For files of popular scripts, such as adminer.php, change the name, and after working with them be sure to remove from the hosting.

Tip 2. Prohibit Indexing System Directories

Search robots scan websites non-stop and in addition to information that is useful for users, they save information that may be useful for attackers in search of vulnerabilities.

For example, the command inurl:/ckeditor will find all url addresses, which will contain the name of the popular and early versions of the vulnerable CKeditor editor. The command intitle: «index of» command will find all websites whose directories are available for viewing.

Due to misconfigured server configuration, search robots index and display errors of PHP scripts, log files (access_log, error_log, awstat...), database backups and other confidential information that can be used to hack into the website.

How to secure your website
Correctly configure the robots.txt file. Disable indexing of all system directories and directories of all scripts, which should not be displayed in search output. You can do it with the line
Disallow:/your_catalog

Tip 3. Update CMS and Software on the Servertip

Free management systems and most of their addons are open source, attackers can easily analyze them and find vulnerabilities. Ready-made scripts for exploiting vulnerabilities often appear in the public domain.

How to secure your websiteUpdate your management system, templates and addons on time. If it is not possible to apply updates, be sure to install anti-hacking protection on the website. Pay attention to notices of critical vulnerabilities on the official websites of your management system and addons and fix them on time.

Tip 4. Check the Website for Vulnerabilities Regularly

Keeping track of CMS and addon updates is important and necessary, but they often come out late — when hackers have already found out about a vulnerability. So you cannot just hope for updates. By the time they appear, you’ll be hacked a hundred times.

How to secure your website
Check the scripts for vulnerabilities yourself. You can send a request to the search engine for this purpose: exploit + name of CMS, plugin, module, template... After analyzing the source code of the exploit you can determine which vector of the attack is used, which files are vulnerable and how to protect the vulnerability correctly. The most popular sites for finding vulnerable scripts are considered to be CVE Details and Exploit Database.

Tip 5. Close Access to Folders — Concrete Your Website

By default, all directories and files on the server are writable. This is dangerous: having found the vulnerability, the attacker can upload and run a shell script or rewrite a file at any directory of the website.

How to secure your websiteIt is necessary to perform hardening, that is, «concrete» the website. You need to disable writing to all directories of the website and to disable changing of all CMS files, plugins and templates which do not require changes during operation of the site. Reading and execution of files with these permissions will be available. For the correct operation of the website, permissions should be set as follows:

  • for all files — permissions 444;
  • for all directories — permissions 555;
  • for the files, which need to be available to write — 644;
  • for the directories, which need to be available to write — 755.

Such permissions are well suited both for websites where CMS, templates and plugins are heavily modified and there is no possibility to update everything to the latest versions, and for simple websites where CMS, templates and plugins are updated infrequently. If you need to update plugins and a template, the permissions can be recursively changed to 644 and 755, then update everything and reset the permissions 444 and 555.

Two PHP scripts are created for the comfort of end-users:

  • mysite.com/protect.php — changes all permissions for files and folders to 444 and 555;
  • mysite.com/unprotected.php — sets permissions 644 and 755.

To prevent the permissions for files and directories from being modified by software, the directive should be added to the php.ini file:
disable_functions =chmod

For directories (backup/log/image...) that cannot be set with 555 permissions and do not have scripts, you need to add a .htaccess file with this content:
RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml

This code blocks execution of potentially unsafe scripts. It will prevent execution of PHP code from a directory where there should be no executable files.

Tip 6. Restrict Access to the Control Panel

Even from the name it is clear that only you should have access to the control panel or admin panel of the website. Or an administrator that you trust to manage the website.

How to secure your websiteSet an additional login and password to the website admin’s dashboard. Add .htaccess and .htpasswd files to the administrative panel directory (administrator, bitrix/admin, wp-admin...).

In the .htaccess file write the following code:
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/ site.com /admin/.htpasswd require valid-user

<Files ~ ".(css)$">
Allow from all
satisfy any
</Files>
<Files ~ ".(js)$">
Allow from all
satisfy any
</Files>
<Files ~ ".(png)$">
Allow from all
satisfy any
</Files>
<Files ~ ".(gif)$">
Allow from all
satisfy any
</Files>
<Files ~ ".(jpg)$">
Allow from all
satisfy any
</Files>

Where home/site.com/admin/.htpasswd is the full path to your server’s .htpasswd file.

If the Website Is Already Hacked

To determine the vulnerability through which the website was compromised, analyze the website’s access_log. In the file, carefully analyze all suspicious post and get requests.

Websites with many visitors can have a very large access_log. To simplify the search for a vulnerability, first find out the approximate time of the hacking. To do this, sort all files on the website by date of last modified, find shell scripts with the antivirus and the time when they appeared on the website. Next, in the logs find post and get requests that are close in time to changing files or shell scripts appearing.

Sign up to Vepp Blog!

And read a few of our articles about website security:

 

Sign up now

How to Maintain a Website

Check out how to automate WordPress launch and maintenance

Watch the video
Vadim Korchinskii
Website admin since 2012

Subscribe to the articles by WordPress experts


 

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

 

 

 

Fraudsters will not be able to send emails on your behalf. Meanwhile, your messages will not be sent to spam.

Nastya Kuznetsova

Content manager

Websites can be hacked, servers can go down, admins can make mistakes. To protect yourself...

Nastya Kuznetsova

Content manager

You can manually start the website check for free but the treatment of infected files is paid.

Danya Kolesnikov

Marketer