Server security is a complex and constantly changing topic. Every update to hosting software or CMS platforms can introduce new exploits and have unpredictable consequences. While keeping up with every security issue is virtually impossible, neglecting obvious concerns or implementing poor security practices increases the chance of a security breech. The five tactics below are simple to perform yet often neglected by many website administrators.
Failing to Set File Permissions
File permissions are one of the most basic forms of security any webmaster can implement. File permissions allow you to assign read and write permissions to any file on the server based on a number of criteria. Options include limiting access based on user account, user group and global flags.
Depending on your hosting platform, the steps to set file permissions differ slightly. However, in most cases, this only takes a few mouse clicks to complete. The most common place to find these settings is within the file manager for your hosting platform. Manual file permission configuration is available through console commands such as CHMOD as well.
A common error many webmasters make is to leave file permissions at their default settings. In many cases, this leaves many critical files open to attack from anyone who knows how to access them. To help improve server security, consider setting up dedicated accounts for specific actions and set your permissions accordingly. This means that if a compromise occurs, the attacker only gains limited access to site internals and data.
Neglecting Software Updates
Just like smartphones or personal computers, web servers receive regular updates. These updates not only include optimizations and added features, but also critical security updates. Keeping all software on a web server up-to-date will greatly increase the security of any site.
Common updates include Apache, mySQL, PHP and any content management systems you might have in place, such as WordPress. Administration panels, such as cPanel, often provide simple ways to check for updates. Just a few mouse clicks and a few seconds of downtime is all it takes to keep things running smoothly and securely.
Utilizing Weak Passwords
No amount of file permissions, software updates, firewalls or other security options can make up for weak passwords. As processing power and bandwidth speeds increase, so does the power that hackers and malicious users wield on the Internet, as brute-force attacks are that much faster. A strong password is the first line of defense against many of the attacks a website could face.
Symantec recommends the following regarding passwords:
• Should include at least one uppercase letter, lowercase letter, numeral and special character.
• If the host operating system allows, control characters, spaces and alt characters can add complexity and security as well.
• Should be a minimum of eight characters in length. Longer is always better when supported.
• Never use common dictionary words or personal information when creating a password.
Keeping the Same Passwords Forever
Even the strongest passwords can be cracked by brute-force methods if they are never changed. Schedule password changes at regular intervals, just as you do with backups.
Varying your passwords to generate separate ones for each account or directory to be protected offers the most security, but it can be a pain to change them often. One tip to help you manage this is to start with a base password, such as “b@n@na_f1sh,” and append an identifier for the account/directory as well as numbers that increase with each change, such as “b@n@na_f1sh_w0rdpr3ss1″ which changes to “b@n@na_f1sh_w0rdpr3ss2″ and then “b@n@na_f1sh_w0rdpr3ss3,” and so on. While this is not as secure as completely random passwords, it can make changing and managing passwords frequently a bit easier.
Not Implementing .htaccess Controls
The .htaccess file is a basic ASCII text file that can modify the way Apache serves and accesses files on the server. When placed within a directory of the server, the scope of the file includes the current directory and any sub-directories. If you intend to implement a complex .htaccess setup, take care to avoid conflicting commands as this can greatly affect server performance or create unending loops.
One of the most important security uses for .htaccess is blocking access to a website from spammers and known “bad neighborhoods.” Conditions for creating filters include IP addresses, domain names, user agents and even country. This makes it easy to block malicious bots, prevent specific domains from accessing the site or redirect traffic from sensitive pages.
Another common use for .htaccess is to prevent file indexing. This prevents users from viewing the file structure of the web server and potentially accessing files that were not intended for public viewing or download. Using this feature is as simple as adding “IndexIgnore *” to the .htaccess file in the root directory of the hosted site.
Security is an ever-developing field, so the best thing to do after implementing the above is to simply stay abreast of the newest threats and ways to block them.
Thomas Eldridge is a respected freelance writer who loves covering all things tech related. When he’s not covering hot issues in the tech world, you can find Thomas reviewing sales tax by state or coaching his son’s little league team.