This is a continuation of our Security Guide see the previous post.

What else can you do to protect yourself from hacking? In addition to securing your personal computer from malware and other malicious software, you should practice good overall security on your computer.

Are you storing your passwords on your computer? Are you saving your account’s password in your FTP client’s site manager? Are you saving login information in your browser? If you never have to manually type your password when connecting via FTP or to your cPanel or any other secure area, then you may be at risk. If you are never entering your password, then this means it is being stored somewhere on your computer. If it is stored somewhere on your computer, then it is free for the taking should any malware or malicious software exist on your computer.

Securing Passwords
You may have heard that writing down your password is a bad idea. This depends on your environment. If you work in an office cubicle, then having a piece of paper with your passwords written on it sitting next to your computer is probably not a good idea. But if you work from home, or only access your secure areas at home on your personal computer. Then having your passwords written down beside your computer is less of a security risk, as long as your house and the room that your computer is in stays secure and you do not have any unwanted visitors. Keeping your passwords written down, completely separate from your computer, is probably the best way to keep your passwords secure (I suppose memorizing your passwords completely would be the best way!) But if you work in a cubicle environment and need your passwords, perhaps keeping the password sheet in your wallet or some other item that you always have with you is best. In any case, making an effort to obscure your password, by placing the password sheet in a drawer or underneath something, is probably a good idea.

Why is this a better option than saving your passwords on your computer? By keeping your passwords separate from your computer you are preventing malware from learning of your passwords. Malware may get installed on your computer and it may be able to tell that you are the webmaster for your website, but it can only guess at what your password might be. Because if the password isn’t on your computer, it can’t know what your password is.

If you consider the ideal situation where you only access your website administrative side from your home computer, then generally you would be more trustworthy of any family members that might run across your password sheet. Compare this to the threat of malware stealing your login credentials from your computer and decide for yourself which is the higher risk.

Encrypt your passwords
If you must store your passwords on your computer, then it makes sense to secure these passwords as much as possible. Avoid using built-in site managers or browsers to store and save your passwords, as these can be easily compromised. Instead, I recommend the program KeePass. This is a program that can store password information with, and it encrypts the data, to make it more difficult for hackers and malware to read your password information.

With KeePass you create a single file that has all of your different password information. You can save this file, and encrypt it with a public/private key encryption system and also with a passphrase. The passphrase is not required, but I like having it just because it gives an extra layer of security. Here you can use an easy to remember password, which can then unlock the program to list all of your passwords.

I would recommend that you install this program and give it a try.

Secure your programs
Keeping scripts and applications that are on your website up-to-date is important. But it is also important that you keep the software installed and running on your computer up-to-date. One way to accomplish this is with Secunia’s Personal Software Inspector Program.

Secunia PSI works by scanning your computer to see what programs you have installed and what version. It then compares this information with a list of known software applications and their latest version. Any software that is found to be on your computer, but not up-to-date, it will warn you about. You can then take steps to remove or update the software to the latest version.

Secunia PSI keeps itself up-to-date so that it always has an updated list of application versions. If you keep it running in your System Tray, it will let you know when a new version of software is available.

Keeping the software applications on your computer up-to-date helps to insure that hackers, malware, and malicious software cannot take advantage of known security holes in that outdated software.

Steven

Next Post AMS Webhosting Security Features

This is a continuation of our Security Guide see the previous post.

Keeping the scripts on your account up-to-date is a good way to protect your account from hacking and exploiting attempts. There are some other things you can do to insure better security.

Database Passwords
This is a common issue and is mentioned a lot in security circles when it comes to securing your account. Never re-use a password for something else. Ideally all of your passwords would be unique and all aspects of your operation would have their own separate login with unique passwords. This is true for scripts that require databases.

Most scripts have some dynamic aspect to them, which requires the use of a database, typically a MySQL database. While it is a good idea to use unique passwords for different aspects of your day-to-day operation, it is imperative that you use a unique database username and password for the scripts on your hosting account.

As a general rule, any time you are going to be using a database on your hosting account, you should set up at least one database username with a unique password. You never want to use your main account username and password in your script for accessing the database. While this username and password combination will work, it is not recommended.

Consider this. You install a WordPress script on your account. You create a new database to host the WordPress data, but you do not create a new database username to access this database or you reuse your account password as the password for the database username.

Now, if this WordPress script gets exploited or hacked, the hacker could conceivably read your WordPress configuration file:

define('DB_NAME', 'username_wp');    // The name of the database
define('DB_USER', 'username');     // Your MySQL username
define('DB_PASSWORD', 'p@$$w0rd'); // ...and password

Now the hacker has full access to your account. They can log into your account’s cPanel or FTP and cause even more damage.

Just to be clear, if a hacker has hacked your script and is able to read its configuration files, then that is a problem. However, by using a separate database username and unique password you are at least preventing the hacker from easily being able to take over your whole account.

Secure Permissions on Config Files
File system permissions may not be something you are familiar with. As a general rule, any time you see files or directories set with permissions of 666 or 777 this is bad. Without going into all of the complexities of file system permissions, just know that 666 and 777 permissions means that the files or directories are open, they are unrestricted. On our servers, directories should hold a permission setting of 755. HTML files should have permissions of 644. PHP files should have permissions of 644 or 600. CGI file scripts (not PHP scripts) should have permissions of 755. And ideally, PHP configuration files, files that contain login information that a PHP script would use to access the database server or any service that requires authentication should have permissions of 600.

Our servers have a process that goes through and attempts to insure that the permissions on these configuration files is correct. However the process is not without flaws, it cannot catch every PHP configuration file.

To insure that your configuration file is safe, you should consider changing the permissions on the configuration file to 600 after you have installed a script. The configuration file would be the file that you edit to add your database login information. You can change the permissions of a file with most FTP clients, just log into your account via FTP and select the configuration file and change its permission to 600.

Configuration File Placement
In addition to using secure permissions on your PHP configuration files, you can further secure the scripts on your account by placing the configuration files outside of your DocumentRoot.

This option really only works for custom written scripts and the like. Premade scripts, such as WordPress or Joomla, will depend on the configuration file being in a certain location, relative to its installed location. For this reason, placing the configuration file outside of your hosting account’s DocumentRoot will not work for those scripts. This is something that can really only apply to custom written PHP script where you have the ability to hardcode include statements into your scripts.

The DocumentRoot of your account refers to the public_html folder of your hosting account. Anything inside your public_html folder is considered to be web accessible and is thus referred to as your DocumentRoot. When you are in the directory above your public_html folder, your account’s home directory, then you are outside your DocumentRoot. Typically when you log into your account via FTP you are logged into your home directory. Here you will see other folders concerning your account: mail, etc, tmp, public_html. You can create a new directory in your home directory to place your configuration files into or you can just place your configuration files directly into your home directory. The main point being that if your PHP configuration files (files with database login information) are not inside your DocumentRoot then it is more difficult for hackers to read this information should your account be hacked into.

Steven

Next Post Fighting Malware

One of the best ways to keep your website safe and secure from hackers is to always keep your scripts up-to-date with the latest version of any software you might have installed. We all know that keeping your operating system up-to-date is important to keep your computer safe. This is why in Windows you will periodically see a popup in your status tray telling you that updates are available. Scripts on your website are just like software on your computer. Bugs and security holes are found in these scripts and they must be patched in order to prevent serious malicious consequences from happening.

In order to keep the scripts on your account secure, the first thing you have to know is what scripts you have installed on your website. This should be pretty straightforward. In order for a script to exist on your account, you or someone has to install that script on the account. Just keep a log or a note of what scripts you install or have installed on your account. You can’t succeed in keeping the scripts on your account up-to-date if you don’t know what scripts are installed on your account.

You will also want to take into consideration any addons, extensions, or plugins that you have installed with those scripts. An example, Joomla!, a popular Content Management Script, has a lot of extensions that can be installed to work with the base Joomla! These extensions add functionality to the script. Joomla! calls these addons “extensions” because it extends functionality, but WordPress, a popular blogging script, calls these “plugins”. Basically, plugins, extensions, addons all do the same thing, by adding extra functions to the base script, but it is important to note that these remain up-to-date as well. You may have an up-to-date Joomla! install on your hosting account, but if you have an old and vulnerable extension still being used, then your hosting account still is not safe.

Bottom line, scripts, base scripts, and any addons you have installed must remain up-to-date in order for your account to be safe.

How do you know when a new version of the scripts is released?
This is not an easy question to answer. The best way to approach this is to subscribe to the script’s or addon’s mailing list, RSS, or Twitter feed. However not all script vendors will provide this avenue for releasing announcements. In those cases, you just have to routinely check the vendor or developer’s website to see if they have released a new version of the script. Most of your more popular scripts have methods for letting you know of new version announcements. However it is your responsibility to sign up for these announcement services with each script.

A lot of these popular scripts have robust community followings, usually through an online forum on their respective websites. Staying involved in these communities is another good way to stay apprised of recent script developments and issues.

Unfortunately there are just too many scripts available for you to use and that prevents us from being able to inform you of script updates. We may periodically check for some of the more popular scripts (Joomla!, WordPress, etc) and check to make sure that these scripts on your account are staying up-to-date. But it is just not possible for us to be able to do this for all scripts, especially when you consider the vast number of addons that are available for each script. The best way to approach this is for you to take on this responsibility yourself and subscribe to announcement feeds for whatever scripts or addons you have installed on your hosting account.

Script Upgrading Issues
Some people are afraid to upgrade their script or addon because they fear that doing so might break their website. This is a valid concern, there is no doubt about it. However, you have to consider that by continuing to run the old version of the script you are leaving doorways open for hackers and malicious visitors to take advantage of your account.

Generally, developers release new versions of their software to correct bugs that have been found in the software. The same is true with website scripts. New bugs are found in the script and the developers have to fix these bugs. Once they have fixed the bugs they release a new version of the script to correct the issue. However they can’t make you update the script on your hosting account.

If you are concerned about upgrading your scripts and breaking your website then you should raise this issue with the developer or vendor of the script through their website. Upgrading the script on your account MIGHT break your website, but leaving it outdated is GUARANTEED to make your website less secure. Don’t be surprised if your account is hacked or exploited if you choose, either knowingly or unknowingly, to continue to use old versions of your scripts.

Below is a list of popular scripts, their websites, and ways to stay up-to-date with their releases.

Joomla! Updates
Website / RSS / Twitter

Joomla! Extensions Updates
Website / RSS

WordPress
Website / RSS / Mailing List / Twitter

WordPress Plugins Recently Updated
Website

PHPList
Website / Mailing List / Twitter

Zen Cart
Website / Mailing List

SMF – Simple Machine Forum
Website / Twitter

Coppermine Photo Gallery
Website / RSS / Twitter

Gallery
Website / RSS / Mailing List / Twitter

Drupal
Website / RSS / Mailing List / Twitter

phpBB
Mailing List / Twitter

osCommerce
Website / RSS / Mailing List / Twitter

Steven

Next Post Securing Configuration Files

I am working on a security series which will be used as a guide for our clients to better understand how to keep their webhosting account safe and secure.

The guide will consist of one post per day outlining different security options and ways that you can better secure your webhosting account.

Check back to this post for updates on this series.

June 15th – Keeping Scripts Up-To-Date
June 16th – Securing Configuration Files
June 17th – Fighting Malware
June 18th – Password Security
June 19th – AMS Webhosting Security Features

Steven

Users are encouraged to create and download a backup of their account before they attempt to upgrade their Joomla! scripts. This will insure that you have something that can be restored from if the upgrade breaks something. For information on how to backup your account see:

http://manual.amstechdns.com/userbackup

Again, users are encouraged to post any questions or concerns regarding a Joomla! upgrade at the Joomla! forums:

http://forum.joomla.org

If you have any special setups or special settings with your Joomla! script, they should be able to help you.

Steven