Frequently asked questions

Back
Keyword:  

What should I do to prevent my pages from being hacked?
  1. Up-to-date software
  2. Admin user access
  3. File permissions
  4. Access to files
  5. PHP and other software in your webhotel
  6. Examples
  7. More about web security
  8. Passwords

Up-to-date software

Criminals are constantly on the lookout for old versions of software with well-known vulnerabilities. They use search engines such as Google, MSN Live Search and Yahoo to find webpages using e.g. Gallery, Joomla, PhpMyAdmin, WordPress, etc. Attacks are automated, and aim at the well-known vulnerabilities. If you've installed an old version of such software, your webhotel may be at serious risk!

Your first line of defence against damage to your web pages is: use the most recent version of your installed software!

If you no longer use the software, or the software , then you must delete the software from your webhotel. Removing the link from your homepage will not help.

Most software vendors provide security bulletins for their products. Subscribe to these to keep up with changes!

Please note that certain software types and some specific software is not permitted on websites hosted by us, due to security and performance concerns.


Admin user access

Software installed by you usually has an admin user, and this is a frequent target for hackers, because the admin user has access to installing and editing themes, plugins, and other additional components.

Ensure that your admin user has a secure password, and that you have control over other users in the system.

Do not reuse passwords you have used other places. See also our other password tips.

Ensure that the e-mail addresses for password reset are correct, and don't belong to an unknown party.


Permissions

To avoid intruders changing or deleting files on your website, make sure to set the correct file permissions. Make sure that your files and directories aren't writeable by others. This will help ensuring that no-one else changes your files or snatches your passwords.

Configuration files which contains passwords should not be readable for other users.


Access to files

Also make sure that only files that must be accessible by the web server, are actually accessible. If your home directory is /home/1/e/example, your website must be in the folder/directory /home/1/e/example/www, while you may place configuration files, include files, files containing usernames, passwords and other sensitive information, in another folder/directory (e.g /home/1/e/example/conf). This prevents these files from being directly accessible via the web server.


PHP and other software in your webhotel

If you have PHP or other software (also called scripts) uploaded to your webhotel, make sure that all parameters are thoroughly checked before using them. If not, you run the risk that someone maliciously sends specially crafted parameters, luring your scripts into behaving in a different way than planned, for example to run arbitrary commands on the web server.


Examples

Here is an example of what not to do in PHP:

<?php
...
$inc = ($_REQUEST["page"]);
include "$inc";
...
?>

The content of $inc is uncritically executed, without checking the variable content. Everyone can use the script to e.g. retrieve the contents of your PHP files (including database passwords) or run arbitrary commands on the web server. This can cause damage to your webhotel as well as for other users of the same web server.

Safe example

Here is an example on placing the PHP includes in a sub directory "includes" and ensuring that existing files are included in a safe way:

<?php

$page=$_REQUEST["page"];

if (!preg_match("#\.\./#",$page) AND 
preg_match("#^[-a-z0-9_.]+$#i",$page) AND
  file_exists("includes/$page") ) {
    include("includes/$page");
} else {
  print "Invalid page requested. The attempt has been logged.";
  # Here you may write a routine that logs attempts of working around your system!
}
?>

In general, you should always check the input parameters of your script, especially if the parameters are used in system calls or SQL queries. Keep in mind that data you receive from other systems (including databases) also need checking.


More about web security

If you want to read more about web programming security, we recommend the book Innocent Code by Sverre H. Huseby (ISBN 0-470-85744-7).


Passwords

Be diligent and careful in how you handle your passwords.


See also:

© 2024 Domeneshop AS · About us · Terms · Privacy policy