Round Tale

These days, it is more important than ever to keep your website current with the latest security measures.  Why so much emphasis on security?  Because hackers are always looking for ways to penetrate servers and websites to thieve sensitive information.  There are is a lot you can do to ensure better website security and the tips in this article should taken very seriously.

1.) Update Your Applications and Scripts

Running outdated web applications and code on your site is liking giving hackers an open invite.  So if you have older versions of WordPress or Joomla installed, it is advisable that you immediately check for and perform the necessary updates.  This goes for any application or programming languages used for your site.  For a knowledgeable hacker, compromising Joomla 1.0 is as easy as uploading a shell script to an insecure form.  If successful, they could end up with complete control of your account.

2.) Create Strong Passwords

A password can be a simple but effective security mechanism.  However, this is only the case when following a strict set of rules.  When securing login sessions and other areas of your site, never apply a password that can be easily guessed by others or is used for other accounts.  If someone knows just one of your passwords, they can keep trying it for each of your accounts until they are successful.  This could not only lead them to the control panel login of your hosting account, but also the financial institution you do your online banking with.

3.) Mask Your Folders

It is always wise to cloak your website files and folders that are stored on the server.  Many security experts suggest keeping a blank index.html file in each of the folders stored in your public directory.  Doing this will ensure that the contents cannot easily be viewed by internet users.  This process is made simple with the cPanel control panel and its Index Manager function.  You can take this one step further by password protecting the administrator folder that contains the scripts you are running.  This is highly recommended as it provides an added layer of security that will make an intruder have to work that much harder.

What If I Still Get Hacked?

As we eluded to earlier, there is a possibility that even after adhering to all of these tips and more, your website can still be compromised by a hacker.  Should your site be successfully exploited, there are a couple of things you should do right away to minimize the damage.  The first step that needs to be taken involves changing all of the passwords associated with your website.  This goes from your control panel and administrative areas to everything else in between.  Next, go through your hosting account to find and update all old applications and plugins as they could easily be the culprits that led to exposure.  Any website can be compromised and if it happens to you, your sensitive information can be used for criminal gain in one way or another.  Prevention is the key so employ all the measures you can to ensure you are protected against the existing and emerging threats.

Convenience aside, allowing anonymous visitors to upload files to your site is pretty much like opening the gates and telling malicious users it is okay to compromise your server.  This puts you, the website owner, in a very tough position when considering that such permissions have become a commonality on today’s internet and has proven to increase business efficiency.

Having the ability to upload files is a regular occurrence on social networking sites such as FaceBook, MySpace and Twitter as well blogs, forums and online banking sites.  This feature is also prevalent in corporate portals as it allows end-users to share files with business employees.  In these environments, users are permitted to upload documents, pictures, music, videos and several other types of files.  The more functionality an end-user is provided with, the greater the probability of creating a vulnerable web application.  It is a known fact that many internet users abuse their privileges to gain access to a specific site or compromise a web server.

During recent tests, security experts have discovered that an alarming number of widely used web applications are not making use of secure upload forms.   According to their findings, many of these vulnerabilities were easily detected and exploited, allowing experts to gain full access to the file system on the web server hosting those applications.   Most of these vulnerabilities were the direct result of improper security configurations, essentially permitting intruders to roll right in.

Viable Solutions

Below is a list of practices you or your system administrator should enforce when file uploads are allowed to your website or web applications:

- Create an .htaccess file that only permits access to files with allowed extensions

- Do not the put the .htaccess file in the same directory where the files uploaded by users will be stored.  This file should be stored in the parent directory that your visitors do not have access to.

- The average .htaccess file that only allows files such as jpg, jpeg, gif and png files should include the following lines:

“deny from all

<Files ~ “^\w+\.(gif|jpe?g|png)$”>

order deny,allow

allow from all

</Files>”

These lines can be adjusted to suit your own personal needs.  Editing the .htaccess file in this manner will not only assure that only these file types are allowed, but also protect you from double extension attacks.

- If at all possible, make sure the files uploaded by users are placed in a directory outside of the server root.

- Do not allow existing files to be overwritten.  This will prevent exploits such as the .hataccess overwrite attack.

- Do not rely solely on client-side validation.  This is simply not enough to ensure an adequate level of security.  It is advisable to implement both client-side and server-side validation.

Conclusion

There are several ways a malicious user can bypass the security configurations applied to a file upload form.  When incorporating such a feature into your web applications, you should make it a priority to follow the best security practices and put them to the test on a regular basis.  While this requires a considerable amount of security expertise, it is worth every bit of time to make sure your website is protected.