10 Easy Ways to Prevent Your Website from being Hacked

Many times, my clients have asked me “what is the best way to prevent my website from being hacked?”. While no server is perfectly secure, there are some simple ways to secure your Linux server from attackers. None of these methods are hard to do, but they are absolutely necessary to prevent your website from being hacked. Here is the list:

1. Install all available security updates for your Linux server

   Every modern Linux distribution supports the ability to install security updates. Although some might suggest that automatic installation is best, I firmly disagree with this idea. Instead, security updates should be manually installed, so that you are aware of what software packages are being updated. If a package is updated that breaks the functionality of your website, you want to have it fixed ASAP! If an update is automatically installed, it makes it hard to detect problems with a website (and troubleshoot what happened in the first place). Some might ask what the proper update interval should be- typically I recommend searching for and installing the security updates about once per week. This way, you are checking frequently for security updates (always a good thing), and it is something that is frequent enough to remember (for instance, check for security updates every Saturday morning).

2. Control access to your Linux server

   I'm not going to go over the same old “use a secure password” line here- I assume that most people now know to choose a secure password for anything that you care about that is on the Internet. Instead, make sure that you also control other accounts on your server. If you have a third party coder that works on your server, recommend that the coder change his or her password every three months, and disable their account if it is not needed. For instance, if you have a consultant that is only supposed to connect to your server when needed (on an on-call basis), disable his or her account when their assistance isn't necessary. It not only prevents a revenge style attack if there is a disagreement with the consultant, but it also makes for one less user account an attacker can use to gain access to your Linux server.

3. Update non-distribution software on your Linux server

   Besides updating the software that comes with your Linux distribution, ensure that any non-distribution software (such as Wordpress, PhpBB, and other software packages) is updated when security updates are available. It's never a bad thing to check for updates every time that you make a post on your blog (or if you update your blog as infrequently as I do, make it once per week), and make sure that the latest version is always installed. This is perhaps one of the biggest ways that a server is compromised- insecure web applications can allow your Linux server to be very easily compromised.

4. Use separate MySQL accounts for all of the databases on your Linux server

   While we are on the topic of web applications, make sure that every web application on your Linux server doesn't use the default user (root). Instead, create a new MySQL user for every database, and ensure that the database user only has access to the databases that it needs to access. For instance, your 'wordpress' MySQL user should not be able to access the database tables on the database 'vbulletin'.

5. Disable or firewall unneeded services

   Another easy way to prevent your website from being hacked is to disable unneeded services, and block incoming connections to services that don't need to accept incoming connections directly. One of the best examples of this is with MySQL- it is very common in a VPS environment for a provider to configure MySQL to accept remote connections. Unless you want outside computers talking directly to MySQL (hint: you don't want this), firewall that port! Your web applications should be configured to connect to the MySQL server on 'localhost', and even if they are configured to connect to your domain name, they still wouldn't connect on an outside interface. Simply put, there is no valid reason to allow all outside hosts to connect to MySQL.

6. Disable anonymous FTP

   I still don't understand why some Linux distributions configure a FTP service to accept anonymous connections by default. With the low overhead of transferring files via HTTP, anonymous FTP is starting to slowly die off. Anonymous FTP is something relatively easy to disable- and should always be disabled unless absolutely necessary. There have been instances in the past of attackers gaining access to a web server through an anonymous FTP account.

7. Use a secure SSH configuration

   If you use SSH on your Linux server, make sure that password authentication is disabled. Instead, use RSA key authentication- it is way more secure than entering a password alone. In addition, change the SSH port number to a number higher than 1024- I'm a big fan of port 22222 myself. It's outside of the range of most normal port scanners (at least with the default settings of those port scanners), and adds an extra layer of obscurity to the SSH daemon. While you're in the SSH configuration, disable the SSH banner as well. There's no need to announce the version of SSH used, since it makes an attacker's job easier.

8. Use encrypted services, over non-encrypted services

   Consider using encrypted services, over non-encrypted services. This includes replacing software such as FTP (which transmits your password without encrypting it), with software such as SFTP (which is probably already installed and enabled on your server). If you have a webmail application, host it on a SSL-enabled port of your webserver. If you send email from a remote computer to your server, enable encrypted connections within your mail server.

9. Install and update virus protection on your Linux server

   Although not directly related to server security, make sure that your Linux server is running a good antivirus program. I'm a fan of ClamAV, which integrates nicely with most mail server daemons. Whatever antivirus software you choose needs to scan incoming emails, and also scan the filesystem. This can both protect the server by removing Linux trojans from the server, but it can also prevent your computer from getting infected (some trojans steal cached passwords on infected computers, which could result in the login credentials of your server being leaked).

10. Perform a code audit on any custom written applications on your server

    No one is perfect, and that is never limited to just coders. No matter how confident that you may be on the integrity of any in-house or custom written code, it never hurts to hire a 3rd party auditor to look over your code for vulnerabilities. Vulnerable code on your server may open up your server to cross site scripting attacks, buffer overflow attacks, and denial of service attacks. Simply put, a 3rd party auditor is always a good thing- it never hurts to have a second pair of eyes on your code.

Following these 10 tips will immensely help prevent your website from being hacked into. Although nothing is 100% perfect, these 10 tips cover 98% of the compromises that I have seen in my career. It also never hurts to have a competent admin look over the security of your server. Even though you think that you may have covered all of these steps properly, it never hurts to hire an external consultant to see what other options may exist for hardening your Linux server. From installation of packages such as tripwire, to writing custom iptables rules, a competent admin will be able to harden your server beyond what this list covers. For more information on server hardening services, feel free to contact me.