Tuesday, August 21, 2012

Help! My website got hacked

Internet security has been one of the most important component in our everyday life but most people is taking it lightly.

We have been hearing website got hacked on a daily basis but what could be the possible cause. In the recent weeks, there is a sharp increase in web site hacking cases by a group of local hackers targeting WordPress website. The victim's website would be defaced with a hacked "Hari Raya" page.

With more than 12 years experience in the web hosting industry, we see most of the hacking cases were caused by insecure and outdated source code in the website itself. This is amounting of up to almost all of website hacking causes.

Possible causes of website hacking:

1. Common Web Site framework (Wordpress, Joomla, Drupal and etc.)
- The most common website framework being used is Wordpress as it is mature, easy to use and it offer a lot of useful free plugins. On contrary on the popularity of Wordpress, it come with a big security issue. Wordpress is an open source platform which means everybody could download the code including the bad guys. This would mean that the bad guys know the in and out of your website.

2. SQL injection
- The bad guys could launch an SQL injection on your website as they know how does your website work. You need to remember that they have the codes of your website. Upon gaining access, they could deface your website and steal your data.

3. Password leak
- Do you save your password in your Internet browser? That is a very bad habit and you need to remove all of it. A virus, malware or Trojan infection on your workstation could cause your website got hacked. The bad guys will be able to retrieve all your password and launch an attack. Use a secure password, save it on the safe location and only share it with the needed person.

4. Easy to guess password
- abc123 and qwerty would be an easy password for you as well as the bad guys. Stop using easy password! Your password should have a combination of upper/lower case, number and symbols.

5. Plugins/Themes
- You have updated your Wordpress but still got hacked, what is happening? We see many cases of intrusion from the plugins and themes. Remember to update all your plugins and themes. Only install the necessary trusted plugins on your website. 

6. Compromised host
- The hosting server could be compromised or have bad security policy. From our experience, this would be the last to happen as most good hosting companies secure their servers from attack unless you are getting inferior low budget services from your host. There would be more bad guys trying to hack on website level instead of server level due to the difficulty differences.

10 Simple Steps to secure your website

1. Secure and update your framework all the time whenever there is a new update
2. Choose your plugin and theme carefully. Keep it updated regularly.
3. Hire a good developer to customize and secure the website for you.
4. Inspect your web site logs to trace the possible hacking attempt.
5. Subscribe to a third party security scanning service.
6. Remember to have a local backup copy on your workstation all the time. Usually, your host will do the backup for you.
7. Monitor your Wordpress with plugins. My recommendation would be:
  • Exploit Scanner
  • WordFence Security
  • WordPress Sentinel
  • WP Notifier
  • VIP Scanner 
8. Get the assistance from your hosting provider to trace the intrusion, restoration and advise. A good premium grade hosting company could be your choice as they would assist you while the budget hosting solution would have limited resources. Running a forensic investigation on a hacked site would require a lot skills, experience and time.
9. Talk with your developer or host on how to improve your website security.
10.  Subscribe to Web Firewall services if the budget allow.

Are you totally safe from the bad guys now after securing your website? My answer would be NO! Government website with million of dollars security investment could be hacked so there would be no exception for yours. There is no guarantee that your website is safe from hacking but at least you have reduced the risk by making it difficult for the hacker.

Posted by at No comments:

Wednesday, August 8, 2012

Simple steps to secure your email account

Email services with collaboration is a norm nowadays and most users keep critical data on the cloud. With this great power that you get from your email services, it would come with a greater responsibility to protect your account. 

As a continuation from the previous topic of identity theft with domain name, the same thing could also happen when somebody hijack your email account. The hacker could cause a lot of damage if they could gain unauthorized access to your email account. Your email account could contain your password, top secret email, password retrieval email and etc. The last thing that you need is nasty emails being sent out from your email account to your contacts. Is this enough to scare you off from having an email account? You do not have to worry and delete your email account now, I will provide few simple measures that you could do to secure your email account so that you would not have to fall back to pigeon post.

With 12 years experience in the web hosting industry and numerous encounter with email account intrusion, you could follow these recipe to secure your email account:

1. Password
This is the most crucial and first line defense of your email account. A weak password is a recipe for disaster. Password such as 'abc123', 'qwerty', '123456' and etc. are too common and these are the first few combinations that a hacker will attempt. A strong password would consist of upper case, lower case, numbers and symbols. If your name is Michael and you would want a password that is easy to remember, you could try something like 'W1cH@3LM2012'. The strength of this password would definitely turn the hacker off. A good password is a strong password and easy to be remembered by you.

2. Email Service provider
Depending on your email hosting package, a good provider will enforce minimum password strength policy and having at least a brute force attack firewall to fend of unauthorized access.

3. Choosing a unique email username
david@domain.com, mary@domain.com, peter@domain.com and etc. are too common and it is based on the word from dictionary. I would recommend you to use firstname.lastname@domain.com as these words are not from a single line in the dictionary. Aside from increasing your account security, you could also reduce the amount of spam coming to your account.

4. Check your PC for virus
A badly infected machine could contain virus that is able to manipulate your email client (Outlook, Thunderbird and etc.) as well as your browser's saved passwords. Most of the time, the user would not aware that the virus is actually exploiting your email account as the process is always running on the background. A virus could be a medium in your machine to relay your account information back to the hacker or it could be a spambot which reside in your machine and turn it into a spamming gateway. Always get a qualified technician to scan your machine periodically and get a good antivirus software.

I hope these few simple steps will save you from the misery of experiencing email account exploitation.
Posted by at No comments:
Subscribe to: Posts (Atom)