You have or will have shortly a presence on the Internet available to anyone 24 hours a day, 7
days a week. While this constant availability is great for business, it also means that those with
less-than-pure intentions can try to disrupt your site at any time.
Depending on who you talk to, individuals who attempt to disrupt websites and computer systems
illegally might be called hackers, black hat hackers, crackers, or even script kiddies (less proficient
individuals who rely on well-known security issues and more commonly available hacking tools).
In this article, I will refer to them all as hackers.
You may be thinking, No one would bother messing with my little website devoted to pictures of
my dog. Think again! You may not have credit card information or other private data stored in
your account, but that won't stop a hacker who decides they want to mess with your site. The
simple fact that your site is available 24/7 on the Internet is a big draw. In addition, some hackers
deface websites just to show off their hacking skills just because they can.
What harm can hackers do? Here are just a few things that could happen:
The hacker uses an insecure form mail script on your site to send spam and
viruses from your account. Your domain and perhaps even the entire web server
are placed on mail blacklists and you have problems sending legitimate mail to
others in the future. In addition, you have to deal with angry requests to stop sending
spam and deal with potentially thousands of e-mail bounce messages for mail sent to
addresses that do not exist.
A program is uploaded to your website and uses your web server to attack other
sites. This can severely slow down all of the websites hosted on your server as well
as get your server placed on more blacklists.
The hacker is able to run a secret meeting place for his friends and other
hackers right from your website. Not only will this probably slow down your
server, but it also puts other accounts on your server at risk as more hackers explore
looking for other vulnerable sites.
Your website and all of the data it contains can be destroyed, defaced, stolen, or
tampered with. In fact, it is possible for hackers to use one hacked account on a
shared server to gain access to other accounts or even the entire server (though their
ability to do so depends in part on how your web host has the server configured).
Your website itself or the entire server could be attacked, keeping people from
being able to visit it. This can be done without compromising the data in your
account and can be very difficult to stop once it starts. Your web host will need to
assist you.
As you can see, even a small site is a tempting draw. While your web host can help protect the
server your account is hosted on, it will primarily be up to you to keep your site out of the hands
of hackers.
The Security Plan
What can you do to protect yourself and your website(s) from hacker attacks? First the bad news:
If a hacker really wants to get into your website or take your site off the Web, then he or she can
probably do so (given enough time and effort) and you can't do much about it. After all, if a hacker
can break into the FBI or CIA website and cause problems, what chance do you have?
Don't panic! There are some basic steps that you can take to help guard against anyone gaining
illegal access to your site and to help you get back up and running again if the worst really does
happen. As the saying goes:
"Hope for the best, plan for the worst, and expect anything in between."
Here are some common ways that hackers gain access to your site (or even your home computer)
in no particular order:
Weak Passwords: While using a short, simple password at every Internet site you
access (and at your own website) may make life somewhat easier for you, it also
makes breaking into your site nearly child's play for a hacker. A small note pad or
notebook and pen or pencil will probably cost you very little, but it can make it
simultaneously much easier for you to remember what complex password you used
at a given website and also that much harder for a hacker to gain access to your
private information. Use different usernames and passwords on every website you
access and keep a log of them all. Don't use simple passwords that are words. Make
sure the password contains letters and numbers, and ChAnGe ThE CaSe if the site
password is case sensitive.
Do not write the passwords themselves in the book, in reconstruct the correct password. For example, if your password is MHirvg79, then you
might write something like this as a hint: "My Host is really very good + the year of my
birth". This is rather simple, but you can get the general idea from it. There are also
several computer programs that offer to save passwords and other sensitive information in
a heavily encrypted format so only if a person knows the (hopefully hard to guess) master
password will they be able to access your private info, even if they steal the file itself.
Ideally, you should not write down your passwords at all; you should memorize them and
never tell them to anyone else. However, unless you have a photographic memory, this is
unlikely to be feasible without relying on just a few passwords. It is more secure to
follow my suggestions above than risk using just a few simple passwords. Just be sure to
keep your password book or program well protected!
Insecure Scripts/Programs: Although that new script you found might be the best
thing since the advent of the Internet, that doesn't mean that it is totally secure. Hackers
constantly look for holes that will allow them to bypass the security built into a script
or program and the more popular a script is, the more likely that hackers will target it to
try to find holes. Once you make a choice to install a script or program on your website
(whether you use cPanel's Scripts Library or install the script manually), it will be up to
you to make sure that you keep up with installing the latest versions of a script. New
versions of scripts don't just add new features; they very often fix identified security
holes. If you are uncertain how to go about updating the scripts you use, ask other
people who use the same script or visit the website of the author(s) of the script in
question and see if they have directions on how to upgrade from an older version.
Chances are good that they will be able to help.
Social Engineering: Unbelievably, hackers can often gain access to your site
directly from you. They might send you an e-mail claiming to be someone from your
web host or some other official-sounding company. They may tell you that you need
to go to a particular web page and update your personal information or enter your
credit card information. The website might even look legitimate on the surface. How
do you defend against this sort of thing? First, pay attention to what information you
are being asked for. Does it make sense? Does the e-mail address, URL, and so on
not match what you think it should? For example, if your web host doesn't provide
support via instant messaging clients and all of the sudden you get an instant
message from someone claiming to be from them, be very careful and don't give out
any personal information. Immediately contact the company through official
channels and find out if the contact is really from an employee or not. Most
companies are very careful about this and will only contact you through official
channels. Keep in mind that most web hosts use a payment processor like PayPal or
2checkout.com to handle credit card and payment options and so should never need access to your personal credit card information (though they may ask for the last 4 digits
for verification). Check with your host when in doubt and do not provide personal or
financial information to anyone you don't know. Even if you are sure that the company or
person contacting you is who they say they are and they have a legitimate need for
information, do not provide them with more information than they absolutely need.
Virus/Worm/Keylogger/Spyware: If you don't have a good virus-scanning
program, then you really should go out and get one right now. Also, be sure to keep it up to date or it will be useless. Even if you have
one that is up to date, don't allow this to lull you into a false sense of security; new
viruses, and other security threats are released nearly every day, so it's possible your
virus scanner could miss the very latest virus/worm or keylogger. In addition, you
need to be careful not to let that friend of a friend have unsupervised access to your
computer, no matter how nice they seem. It only takes a few seconds for a prepared
hacker to install a nearly invisible keylogger that records everything you type and
sends a copy to the person who installed it. They can use that to gain access to all of
your personal information.
These are not the only ways that a hacker can gain access to your site or computer, but they are
some of the most common.
Another common type of attack is a Denial of Service (DOS) attack. This sort of attack uses many
computers to flood your web server with fake requests for information. While this won't affect the
data in your account like a direct hacking attempt could, it will slow down your server to the point
where your website may no longer be accessible. Web hosts and data centers work hard to combat
these sorts of attacks, but they are difficult to protect against. Please try to be understanding with
your host if your server is the subject of a DOS attack, because it can take a while to filter out all
of the fake traffic and return things to normal. Rather than go into depth here about exactly how
DOS attacks work, please read the article at grc.com/dos/drdos.htm, which explains it
quite well.
I hope that you will never experience such an attack, but if you do, at least you will know exactly
what is happening. | 
Disclaimer