10 Arguments That Threaten the Security of Your Website
Nobody wants to have their website get hacked. And yet almost everyone has some reason to ignore security measures. This article talks about "hackers", however "crackers" would be a better name. Hacking is the ingenious use of tools (e.g. software) for purposes that differ from normal use. Cracking is the unauthorized entry of a website to do things that are not allowed by the owner. Because cracking is often referred to as "hacking", I’ll reluctantly use the word “hack” in this article.
1. "Safety is important for large reputable websites"
Your website is small and does not have many visitors. You do not have a webshop and do not handle credit card transactions. Therefore, your website is not so interesting for hackers who are known to target large websites.
Unfortunately, that’s not true. Every website and (web)server is interesting to criminals. They use automated scripts that do not distinguish between size or importance of a website. Hackers hack websites for several reasons:
- Defacing - digital graffiti or politically oriented messages on your website;
- Phishing - installation of software to collect passwords and credit cards of visitors;
- Spamming - sending spam e-mails;
- Spreading viruses and "Trojan horses";
- Admission to a botnet (=network of hacked computers that is controlled remotely) which criminals use for distributed-denial-of-server (DDOS) attacks.
* Each site is interesting to hackers!
You do not update regularly, because:
- you don’t think it’s important (see argument # 1);
- you cannot update it yourself;
- you have some core hacks in your site and therefore can not update;
- ... (insert your own lame excuse here).
All software may contain bugs. Whether it’s software on your computer or on a server. Whether it’s Joomla! or 3rd party extensions. Software developers provide regular updates. Update patches which are released because of security issues need to be installed quickly. Since Joomla 2.5, updating has become much easier with the one-click-update function. Many 3rd party extensions now support updating from the Control Panel.
* Updating Joomla and extensions is very important!
3. "I found the software somewhere on the Internet"
You were able to download a Joomla extension or template from a very helpful website. Or you’ve downloaded a commercial extension from a free filesharing website, just because you want to test it before buying. And after you’ve finished testing it successfully you will for sure buy the paid version! Promised!
- Download software only from the original developer, always! That’s the only way to minimize the risk in getting tampered software.
- Paid extensions or templates that can be downloaded for free from file sharing sites often contain hidden adjustments. Sometimes the adjustments will just add unwanted hidden spam links that Google does not like, to your website. Other times they contain backdoor scripts that hackers use to easily gain access to your website. Do not use commercial software from free websites for testing. Hackers do not wait for you until you are finished with testing and ready to buy the original commercial extensions….
* Download software only from the original source.
4. "My hosting provider already backs up my site"
And they do that quite regularly, so why would you make backups yourself?
- A good backup is a backup that has successfully been tested (by installing it on a local web server). Have you ever tested a backup from your hosting company?
- What do you do if your web host is suddenly bankrupt? Or if your server gets seized by the FBI, IRS, or whatever governmental body, just because another shared hosting customer on the same server did illegal stuff on their website?
* Create, independent of your hosting provider, regular backups (e.g. with Akeeba backup) that you store at an off-site location.
5. "I already found some cheap hosting"
With the “all-you-can-eat” dirt cheap webhosting company you were able to get hosting with mega-much web space for your website and files for one dollar/euro/pound per month.
- Do not only look at the price of hosting. Quality, particularly regarding security, is very important. Get advice from other community members and / or your Joomla developer / implementer.
- Choose a hosting company that focuses on security. E.g. they use suPHP for their shared hosting.
- Make sure you can easily update Joomla and 3rd party extensions from your Joomla administrator panel (if that’s not possible, switch hosts).
* Cheap can be expensive, so take care that you have a good quality hosting provider with Joomla knowledge.
6. "I’ll use this extension soon"
You can easily extend Joomla with 3rd party extensions. Why would not you install all useful extensions that you will need soon? Next month you will start using them.
- Install as many extensions as possible is asking for triple double trouble. The more extensions you install, the more / more often you need to update (see 2).
- Install only what you need *now* and uninstall unused extensions (after making a backup).
* Only allow software (extensions) on your website that you are actually using at the moment.
7. "This seems a useful extension"
But you’ll know that only after installation and testing.
- Do not use your website as a test environment.
- Test new extensions first in a test environment, e.g. a copy of your website that you locally install (with XAMPP).
* Test software in a test environment, not on your live site.
8. "Installation is only possible with permission set to 777"
Installing extensions or uploading images fail, and is only possible by setting the permission of a folder to 777. You do know that it is unsafe, but you say you will set the permissions back to 755 afterwards.
- 777 is very unsafe, even if you do it temporarily. You will not be the first one to forget to turn it back and get hacked.
- Reread excuse 5 ("I already found some cheap hosting") and get another hosting provider.
* Unsafe settings are, even for temporary use, unsafe.
9. "I'm getting insane from all those different passwords"
So you are already aware that, from a safety point of view, you should use different passwords for different sites. Good! You do that as much as possible, but you store those different passwords in your browser and FTP client.
- The configuration file of FTP software like FileZilla is "plain text", and the passwords are stored unencrypted. A known Windows virus or Trojan looks for FileZilla's configuration file and sends it to criminals. Who then hack your website.
* Do not store unencrypted passwords
10. "I already took care of everything mentioned above"
So you're well aware of all safety issues mentioned above. Marvelous! However, do you think about HTTP, FTP and email traffic? That traffic is unencrypted! Usernames and passwords are sent over the Internet in plain text.
- Do not use just any open wifi network. Yes, it’s nice to be able connect to the internet using such open networks. But remember that everything you do, might be monitored by others who are on the same network.
- Even at a "safe" ethernet network unencrypted traffic is unsafe. With the Ethernet network protocol, all connected devices listen to all passing data packets and only use those that are addressed to them. But that does not stop people from listening to all packets ("network traffic sniffing") .
- The Joomla login form usually sends its input unencrypted without https (via the website or administrator section).
- Use secure network communication protocols HTTPS (for browsers), SFTP (for FTP) and TLS (for e-mail) and SSH .
* Internet traffic is generally unencrypted and usernames and passwords can be read by others.