Someone who successfully infects your PC can use it to get intoyour website. That is very common. On any Windows PC (does not apply to Linux, Mac) that you use toadminister your website, install good quality antivirus software tokeep it free of viruses and Trojan downloaders that can installspyware On a Windows system, once a month, while logged into your PC asan Administrator, visit Windows Update to install the latest securitypatches for Microsoft products, including Internet Explorer. Keep all your internet-related software such as browsers, plug-ins,and add-ons up to date with the latest security patches. Use adequate security settings in your web browser. On a wireless network or in a public "hot spot", your data istransmitted by radio, and it is easy for someone nearby to monitoreverything you send and receive that is not encrypted.
Use strong passwords Use a different password in every location. Only give your password to people who must have it If you give your password to someone temporarily, change it as soon astheir work is finished.
Dont load your website with every cool script,gadget, feature, function, and code snippet you canfind on the web. Any one of them could let a hackerinto your site.
Once you have installed a script such asWordPress, SMF, Coppermine, phpBB, or anyothers, find a way to make sure you are notifiedquickly when security updates are released. Get ona mailing list, subscribe to an RSS feed, subscribeto a forum board, create a Google Alert, whateveryou need to do. When a security update is released,install it within 1 day, if possible.
SSH, Secure SHell, gives you command line access toyour server, allowing you to execute operating systemcommands from a remote location. Most webhosts dont allowtheir shared hosting customers to use SSH at all, but a fewdo. Resellers and those who manage dedicated servers dohave SSH. If you have SSH access and you use it, its password should beexceptionally strong, 16 random characters or more. If you have SSH access and you dont use it, disable SSHso nobody can use it. There is sometimes an SSH controlswitch in cPanel. If you allow SSH at all, let your users ask you to enable it forthem. Most never will.
Each file and folder on your server has permissionssettings that determine who can read or write thatfile, execute that program, or enter that folder. Yourwebhost initially created your webspace with securepermission settings on all files and folders. Do not modify the permissions until you know whatyoure doing. Dont guess. One mistake can allowany other account on your shared server to put fileson your site
These precautions are also absolutely necessary, but only if you write yourown program code. For the language you use, find and read an overview about security:PHP, ASP.NET, Cold Fusion, When you use an unfamiliar function for the first time, check themanual for security considerations. Learn to instinctively distrust data from the outside world. Write yourcode so that incoming malicious input cant trick it into doingsomething it shouldnt. Outside data includes: incoming formsubmission data, HTTP query strings, cookies. Learn how to prevent "Remote File Inclusion". Learn how to prevent "SQL Injection". There are lots of online resources for learning how to code securely. Allit takes is a web search.
These are extra precautions that provide anadditional layer of security. If you understand whatthis section is talking about, the discussion andcode examples should help you to put some goodprotections in place. Download and examine your raw access logs. Hereare some examples of how to block suspiciousactivity: Ban bad robots. Ban suspicious URL query strings. Ban IP addresses responsible for suspicious activity.
Always have a backup copy of your entire websiteand its databases Turn on log archiving in cPanel now Get a complete list of your site files NOW while theyare known-good Explore your website and become familiar withwhat is there Use good database connection practices in scripts:
WINNING NOTIFICATION:Attn: Dear Sir/MadamWe happily announce to you the draw of the Euro - Afro Asian SweepstakeLottery International programs held on the 1st of May 2004 in DakarSenegal. Your e-mail address attached to ticket number: 564 75600545 188 withSerial number 5388/02 drew the lucky numbers: 31-6-26-13-35-7, whichsubsequently won you the lottery in the 2nd category. You have therefore beenapproved to claim a total sum of US$4,500,000.00 (Four million, Five HundredThousand United States Dollars) in cash credited to fileKPC/9080118308/03.This is from a total cash prize of US $ 45 Million dollars,shared amongst the first Ten (10) lucky winners in this category.CONGRATULATIONS!!!Due to mix up of some numbers and names, we ask that you keep your winninginformation confidential until your claims has been processed and your moneyRemitted to you. This is part of our security protocol to avoid doubleclaiming and unwarranted abuse of this program by some participants. Allparticipants were selected through a computer ballot system drawn from over40,000 company and 20,000,000 individual email addresses and names from allover the world.
This promotional program takes place every year. This lottery was promoted andsponsored by Association of software producers. we hope with part of yourwinning,you will take part in our next year US$20 million internationallottery. To file for your claim, please contact our paying officer:Contact Person:Mr Peter MoyoFoundmoney Int.Email:email@example.comRemember, all winning must be claimed not later than 25th ofSeptember,2004.After this date all unclaimed funds will be included in thenext stake.Please note in order to avoid unnecessary delays andcomplications ,please remember to quote your reference number and batchnumbers in all correspondence.Furthermore, should there be any change of address do inform our agent as soonas possible.Congratulations once more from all members and staffs of this program. Thankyou for being part of our promotional lottery program.Sincerely,SIR T.U.QuarshieAFRO-ASIAN Zonal Coordinator