This guest article was written for TechZim by Joe Ruzvidzo, a blogger and consultant based in Harare, Zimbabwe. He writes here in his personal capacity.
There have been numerous stories here on TechZim and around the world about websites being hacked. Some of the largest brands locally and abroad have had their websites defaced, and the epidemic isn’t limited to just the big names.
There seems to be a slight uptick in defacement of even relatively obscure (on a global scale) websites; it seems nobody is safe from the threat, although in my experience recent hacks have limited themselves to simple defacement, with no obvious malicious intent. It also does not appear that the servers themselves are being penetrated, but specific sites with vulnerabilities are being targeted.
We need to educate ourselves as Zimbabweans, both developers and clients, on the best ways to prevent these types of attacks. Protecting your website at the most basic level requires guarding three things: your site itself, the password(s) used to upload content to the site, and the computer(s) used to upload content to the site.
The site itself must be protected because attackers often look for vulnerable software to exploit so they can modify your site’s contents. The passwords are critical because, if they are guessed or stolen, they can be used to modify the site. Finally, computers are important because badware on your computer can steal your password and/or modify the contents that you are uploading.
Protect your site
Ensure that any software you use (e.g., blogging software like WordPress, Joomla, third party scripts, etc.) is kept up to date with the latest security fixes. WordPress for example notifies you when either the install itself or one of your plugins it out of date. Do not ignore this. Stay up to date.
Remove any scripts, services, or other software that you are no longer using. Whether it’s an old contact form, an abandoned plugin or component, if you’re done with it, remove it.
Change any default passwords that come with the software you are using. This goes without saying, surely.
Use appropriate file permissions on your web files. Some third-party components (like JomSocial for Joomla) may ask you to set your permissions to 777. That is public write access. Do not do it, whatever happens. As a rule, 644 is your best friend, and 755 is second best. These are explained here.
Protect your password
Use a strong password and change it regularly, especially if you have reason to think it has been compromised. A secure password is at least 8 characters long (longer is better) and composed of three of these character classes – lower-case letters, upper-case letters, numeric and non-alphanumeric (!@#$<,”) characters.
Protect your computer
Remember, the files you’re uploading to your website come from your computer. If there is malware on your machine, it could inject code into your files before you upload them. It could also be used to harvest your FTP logins. Secure your operating system, keep all your software up to date, install security software and proceed with caution!
This article is not comprehensive, but should be seen as the start of a conversation where we can help each other become more security-conscious. It is up to you to keep yourself up-to-date with all the security protocols necessary to protect your work and your reputation. Feel free to let us know in the comments how you’re securing your web presence.