Is your website safe?

Henry Massey

Feb 12 |23:00

I have always taken web security seriously - I ensure that there are always easier sites to hack out there! However, about a week ago I installed a new Firewall solution and carried out some beefing up of security. One thing I turned on was logging - this tells me every single attempt to hack the site - and it was enlightening.....

Today alone, over 1200 passwords have been tried for the admin account - if you get in via the admin account you can change any of the site and quite easily bring it down. I must thank the user at 89.42.111.130 (an IP address registered to SimpliQ in Romania) for trying the majority of those passwords. So just how secure is your password? If it just a name, or a word found in the dictionary, or worse still 'password' or '12345' - you will be hacked. It's just a matter of when rather than if.

That however was not the end of it. This evening a user from 79.172.18.3 (based in Russia this time) tried to upload a script to the website which would have given him control. It was blocked, but again, this demonstrates that if your web server is not correctly set up, your CMS system is not fully patched or you have left any vulnerability open - it will be found, and someone is going to gain access.

What can you do?

  • Make sure you always choose a secure password. If you are using SugarCRM - our 'Sugar Secure' plugin will force your users to choose passwords which are highly secure.
  • Always make sure your CMS (Joomla/Drupal etc) or CRM (Sugar, vTiger, CiviCRM) is fully patched and up to date.
  • Make sure your OS (Linux/ Windows Server) is up to date and patched
  • Check/scan/protect against virus's
  • Make sure your files and folders have correct read/write access
  • Adjust your php.ini file to make sure that functions which are not essential but could be vulnerable are turned off
  • Lock down the back end of your website - and restrict access to it
  • Use a GOOD firewall application
  • BACKUP BACKUP BACKUP.......................!!!!!
Our best advice is to make sure your web development and/or hosting company doesn't just deliver the website - they need to be security aware. Go ahead, host yourself if you wish - but take the time and effort to understand the risks and make sure you protect against them. And don't leave it there - you need to keep up to date, and as new risks become apparent - you need to keep up with them. 

Clystnet develops and supports open Source Web Systems - Joomla or Drupal CMS website and SugarCRM, vTiger and civiCRM CRM solutions. We UNDERSTAND security.

Add comment


Security code
Refresh

Subscribe to this Blog

feed-image RSS 2.0 Feed