A new client asked me to do a bit of work for him today, and when digging into his server, I found, well…a reason to write this post. It needed some spring cleaning. Old folders that had most likely not been touched in years, writable everything, and to top it off a recently hacked site. He was basically lucky the content was still there.

Here are some basic tips to help you keep your site easy to work on, and at the same time make it more difficult for an attacker to bash their way into your site.

Remove the Junk!

The easiest thing you can do to help secure your site while at the same time reduce its confusion, is to remove the junk. Every folder and file that is on your server is like a door or window to your home. Are all your windows locked? If you have a lot of potential openings, it’s very easy to forget one.

If you are not using certain files or folders on your server, back them up off of the server, and then delete them from the server. Removing opportunities is much easier than securing them. It’s also one less thing to figure out a year from now when you are wondering what the heck that file was for.

Don’t Let Them Browse

Another simple tip is to simply stop letting hackers look at your directory. Try looking at your image directory for example, http://www.yoursite.com/image_folder/. If you can see a list of all of your files, STOP it! There are various ways depending on your server type, but a simple one is to simply create an index.html file in that directory. It’s not the worlds greatest fix, but it works, and it’s quick. The con to this is that you will need to do it to every folder you want to stop indexing.

If you are like me, and prefer to hosts your sites using Apache just put this in your httpd.conf file: Options -Indexes.

Keep Up To Date, NOW!

The first time one of my sites was hacked was due to a hole in a script that I did not write myself. It was a popular software, exploiters found the hole, and attacked thousands of sites through that hole. My site was one of them. The key to preventing hacks like this is to not simply update once and a while. It is to update as soon as possible. A well known example of this practice is Microsoft automatically updating your PC with new patches. It’s in your best interest to do this A.S.A.P.. Hackers are looking for open doors, not locked ones.

Here is a real world example. When you go on vacation do you lock your house up before you leave? I think most of would say yes. Not updating your software right away is like going on vacation, coming home half way through to lock up your house, and then go back on your vacation.

Don’t Trust the Users!

As a final security tip, don’t trust user input. Poor form validation was the method in to my new clients site. The original webmaster did not validate an upload form, and allowed any type of file to be uploaded. Every form on your site is way to attack, and depending on how you handle those forms, an attacker may not even need a form! A simple url could be your down fall: http://yoursite/index.php?ID=<nasty script>666.

Most webmasters know forms are easy, but really, if done correctly, are a total pain. They need complete scrutiny. Validating all items, and having complete instructions for your site to fulfill if the answer is not within the defined terms exactly. A hacker using a robot to scan sites for poorly secured forms hardly cares who’s site it is. They most likely don’t even know what site it is until they get the Success Alert. Don’t trust user input, and certainly don’t think it won’t happen to you.