As this article is mainly written for small e-business owners, I will omit technical details about web hacking techniques, and will focus instead on the general security mistakes that lead to vulnerabilities, which are then exploited by hackers.
One of the oldest and simplest problems is default or weak passwords used to access admin interfaces of web applications. Another related and very widespread problem is default admin panel location, such as “/wp-admin/” or “/administrator/” which facilitate a lot hacking of your website even with one simple XSS vulnerability. Password reuse is also a very common and dangerous practice. Avoid default admin panel location, and select strong and unique passwords so that these risks are avoided.
Another very common problem is old and outdated software. Make sure that if you are using an open source CMS such as Joomla, WordPress or osCommerce it’s up to date as well as all of its modules and plugins. Today, the biggest danger comes from numerous plugins that usually have plenty of vulnerabilities.
Be careful when you are using a third-party customized code on your website that is not trusted by a large community of other users. I have seen many examples of quite secure websites being compromised because they installed “Simple Online Poll v0.1” coded by a friend or unexperienced trainee. Usually the majority of web vulnerabilities are hidden in the in-house code, as it was not reviewed and tested by millions of users and security researchers as, for example, the core source code of Joomla was.
Another important point to mention is proper access control. Don’t share your passwords and other credentials with people who do not necessary need to have them, otherwise once they are compromised your website will follow. It is always better to limit access to your admin panels from specific IP addresses or at least from sub-networks (in case you don’t have a fixed IP). Make sure that, on your web server, file permissions are correct and other users (if any) cannot read your files.
Needless to say, the security of any web hosting service where your website is located is also important. Don’t try to save money on it, as such “economy” may ruin your business. When selecting your hosting company, pay attention to what the company’s reputation is, the client support it offers (it should have a competent security team ready to react rapidly on security incidents) and if it has a daily backup plan.
Backup is an essential point, as sometimes you may notice intrusion days, weeks or even months after it actually happens. I personally saw customers who were backdoored during several years so, it’s very important to have a “clean” copy of your website without a backdoor in its source code. Proper backup of access logs is vital for security investigators during the incident forensics process. Last but not least, make sure that all of the software used by your hosting company is regularly updated otherwise any measure taken by you will be useless.
How to deal with a security breach
If you notice that your website has been hacked, the most important thing to do is keep calm and avoid panic. First of all, immediately notify your web hosting company about the incident and temporarily shut down your website. Immediately change all of your passwords (FTP, cPanel, MySQL, SSH, etc) and make sure that no additional accounts were added to the system.
Now, when the hackers have been cut from your website, start the investigation process. First of all, copy access logs to secure local storage - they will help in the future to determine how hackers got in and to trace the attackers.