Start a conversation

Basic Site Security Checklist - eicra.com

Go through our basic site security checklist :


While we don't specifically offer security support on an account-level basis, the following checklist is a good overall checklist of security tips you can review to make sure your site is as secure as possible. Our servers are secure, it is the code you upload or put on Eicra Hosting Servers that compromise the overall security of your site.

1.) Remove malicious files and/or files you're not familiar with. 

While many PHP applications generate files you may not be familiar with, it's important to watch for files or directories that may sound suspicious such as 'wellsfargo' or 'abbybank'.

2.) Update all scripts/applications to the newest versions available.

Old security holes are updated and remedied in new versions of software, so updating to the newest versions available ensures that you're running the most secure option available. If you installed these applications using Simple Scripts, automatic updates are available by clicking the 'Update Now' button. For installations done with Fantastico, the main Fantastico screen will show a link on the right-hand side of the screen with the available versions you can upgrade to.

3.) Update all plugins to the newest versions available.

Just because your applications have been updated doesn't mean the plugins you use have been also. Popular plugins for Wordpress, Joomla, Drupal, etc are created for specific application versions. When updating your applications, make sure the plugins you're using are also certified to work with the newest version of your software.

4.) Delete any databases/applications from your account that are no longer in use.

Each database/application you have installed on your account is another possible point of entry for attackers. By removing applications/databases that are no longer used, you will be eliminating the potential for those outdated scripts to be exploited.

5.) Fix dangerously writable permissions.

Most website files should be set at 644, and folders should be set to 755. This can be adjusted in an FTP client or by manually changing it in the Control Panel File Manager by selecting the file, and clicking on the icon at the top of the screen that says, 'Change Permissions'.

6.) Hide your configuration files.

Moving your config.php and other files containing passwords to a secure directory outside of the 'public_html' folder will make them inaccessible to general web surfing.

7.) Tweak your php.ini file.

The 'php.ini' file on your account is a file that adjusts how PHP behaves on your account. By adjusting the properties of this file, you can greatly increase aspects of your security. This file is generally located in your 'public_html' directory. If you're unable to see this file, you may need to manually generate one. You can manually generate one by logging into your Control Panel and clicking the 'PHP Config' icon located in the section called 'Software/Services'. You'd then click the button that says, 'Install Master PHP.ini File'. This will install a file in your 'public_html' directory called 'php.ini.default'. To make this file active, you will then need to rename it to 'php.ini'.

Tweak 1.) Set 'register_globals' to Off.

Tweak 2.) Set 'display_error' to Off.


8.) Connect to your account using a secure network.

If you're connecting to the Internet using a wireless connection, make sure the wireless network is using a method of security such as WPA or WEP encryption.

9.) Make sure your local computer is secure.

One of the biggest security holes in internet site security is accessing your site from an insecure computer. Viruses, malware, and keyloggers can be installed on your computer covertly and can be used to obtain your username/password credentials or to infect your website files themselves. Practice good at-home computer security by regularly running a reliable anti-virus/spyware scanner. Below is a link to high-quality, free software that can help you maintain a safe, healthy computer.


10.)  Never open attachments (unless you’re really sure) .

A good rule to follow is never open attachments unless you are 120% sure of where they came from. One of the easiest ways for hackers to download malicious code onto victim computers is by sending emails with virus-laden files.


A frequent way companies get hacked is by one unsuspecting employee downloading malicious software that infiltrates the entire network. The most dangerous file types are Word, PDFs, and .EXEs.

11.) QL injection

SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterized queries, most web languages have this feature and it is easy to implement.


Consider this query:

"SELECT * FROM table WHERE column = '" + parameter + "';"

If an attacker changed the URL parameter to pass in ' or '1'='1 this will cause the query to look like this:

"SELECT * FROM table WHERE column = '' OR '1'='1';"

Since '1' is equal to '1' this will allow the attacker to add an additional query to the end of the SQL statement which will also be executed.

12.) XSS

Cross site scripting is when an attacker tries to pass in JavaScript or other scripting code into a web form to attempt to run malicious code for visitors of your site. When creating a form always ensure you check the data being submitted and encode or strip out any HTML.

13.) Error messages

Be careful with how much information you give away in your error messages. For example if you have a login form on your website you should think about the language you use to communicate failure when attempting logins. You should use generic messages like “Incorrect username or password” as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field.

Keep your error messages vague

14.) Server-side validation/form validation

Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can, however, be bypassed, and you should make sure you check for this validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.

15.) Passwords

Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.

As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run.

Passwords should always be stored as encrypted values, preferably using a one-way hashing algorithm such as SHA. Using this method means when you are authenticating users you are only ever comparing encrypted values. For extra website security, it is a good idea to salt the passwords, using a new salt per password.

In the event of someone hacking in and stealing your passwords, using hashed passwords could help damage limitation, as decrypting them is not possible. The best someone can do is a dictionary attack or brute force attack, essentially guessing every combination until it finds a match. When using salted passwords the process of cracking a large number of passwords is even slower as every guess has to be hashed separately for every salt + password which is computationally very expensive.

Thankfully, many CMSes provide user management out of the box with a lot of these website security features built in, although some configuration or extra modules might be required to use salted passwords (pre Drupal 7) or to set the minimum password strength. If you are using .NET then it's worth using membership providers as they are very configurable, provide inbuilt website security and include readymade controls for login and password reset.

16.) File uploads

Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded however innocent it may look could contain a script that when executed on your server completely opens up your website.

If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size is not full proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.

So what can you do to prevent this? Ultimately you want to stop users from being able to execute any file they upload. By default, web servers won't attempt to execute files with image extensions, but it isn't recommended to rely solely on checking the file extension as a file with the name image.jpg.php has been known to get through.

Some options are to rename the file on upload to ensure the correct file extension, or to change the file permissions, for example, chmod 0666 so it can't be executed. If using *nix you could create a .htaccess file (see below) that will only allow access to set files preventing the double extension attack mentioned earlier.

deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>

Ultimately, the recommended solution is to prevent direct access to uploaded files altogether. This way, any files uploaded to your website are stored in a folder outside of the webroot or in the database as a blob. If your files are not directly accessible you will need to create a script to fetch the files from the private folder (or an HTTP handler in .NET) and deliver them to the browser. Image tags support an src attribute that is not a direct URL to an image, so your src attribute can point to your file delivery script providing you set the correct content type in the HTTP header. For example:

<img src="/imageDelivery.php?id=1234" />
<?php
// imageDelivery.php
// Fetch image filename from database based on $_GET["id"]
...
// Deliver image to browser
Header('Content-Type: image/gif');
readfile('images/'.$fileName);
?>

Most hosting providers deal with the server configuration for you, but if you are hosting your website on your own server then there are a few things you will want to check.

Ensure you have a firewall setup and are blocking all non-essential ports. If possible set up a DMZ (Demilitarised Zone) only allowing access to port 80 and 443 from the outside world. Although this might not be possible if you don't have access to your server from an internal network as you would need to open up ports to allow uploading files and to remotely log in to your server over SSH or RDP.

If you are allowing files to be uploaded from the Internet only use secure transport methods to your servers such as SFTP or SSH.

If possible have your database running on a different server to that of your web server. Doing this means the database server cannot be accessed directly from the outside world, only your web server can access it, minimizing the risk of your data being exposed.

Finally, don't forget about restricting physical access to your server.

17.)SSL

SSL is a protocol used to provide security over the Internet. It is a good idea to use a security certificate whenever you are passing personal information between the website and web server or database. Attackers could sniff for this information and if the communication medium is not secure could capture it and use this information to gain access to user accounts and personal data.


PC Tools Anti-Virus: http://www.pctools.com/free-antivirus/

Ad-Aware Anti-Malware: http://www.lavasoft.com/single/trialpay.php


 



Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Eicra.com

  2. Posted
  3. Updated

Comments