Zimbabwe and regional technology news and updates


The basics of protecting your website

You have been hacked

This guest article was written for TechZim by Joe Ruzvidzo, a blogger and consultant based in Harare, Zimbabwe. He writes here in his personal capacity.

You have been hackedThere have been numerous stories here on TechZim and around the world about websites being hacked. Some of the largest brands locally and abroad have had their websites defaced, and the epidemic isn’t limited to just the big names.

There seems to be a slight uptick in defacement of even relatively obscure (on a global scale) websites; it seems nobody is safe from the threat, although in my experience recent hacks have limited themselves to simple defacement, with no obvious malicious intent. It also does not appear that the servers themselves are being penetrated, but specific sites with vulnerabilities are being targeted.

We need to educate ourselves as Zimbabweans, both developers and clients, on the best ways to prevent these types of attacks. Protecting your website at the most basic level requires guarding three things: your site itself, the password(s) used to upload content to the site, and the computer(s) used to upload content to the site.

The site itself must be protected because attackers often look for vulnerable software to exploit so they can modify your site’s contents. The passwords are critical because, if they are guessed or stolen, they can be used to modify the site. Finally, computers are important because badware on your computer can steal your password and/or modify the contents that you are uploading.

Protect your site
Ensure that any software you use (e.g., blogging software like WordPress, Joomla, third party scripts, etc.) is kept up to date with the latest security fixes. WordPress for example notifies you when either the install itself or one of your plugins it out of date. Do not ignore this. Stay up to date.

Remove any scripts, services, or other software that you are no longer using. Whether it’s an old contact form, an abandoned plugin or component, if you’re done with it, remove it.

Change any default passwords that come with the software you are using. This goes without saying, surely.

Use appropriate file permissions on your web files. Some third-party components (like JomSocial for Joomla) may ask you to set your permissions to 777. That is public write access. Do not do it, whatever happens. As a rule, 644 is your best friend, and 755 is second best. These are explained here.

Protect your password
Use a strong password and change it regularly, especially if you have reason to think it has been compromised. A secure password is at least 8 characters long (longer is better) and composed of three of these character classes – lower-case letters, upper-case letters, numeric and non-alphanumeric (!@#$<,”) characters.

Protect your computer
Remember, the files you’re uploading to your website come from your computer. If there is malware on your machine, it could inject code into your files before you upload them. It could also be used to harvest your FTP logins. Secure your operating system, keep all your software up to date, install security software and proceed with caution!

This article is not comprehensive, but should be seen as the start of a conversation where we can help each other become more security-conscious. It is up to you to keep yourself up-to-date with all the security protocols necessary to protect your work and your reputation. Feel free to let us know in the comments how you’re securing your web presence.

Quick NetOne, Econet, And Telecel Airtime Recharge

10 thoughts on “The basics of protecting your website

  1. I think, in the interest of business, it is the responsibility of service providers to make sure their servers and websites/applications they host are secure. Otherwise they will lose the few dollars the clients are paying to SA or international hosting. Once we are hacked on international server, we will then come back (which is rare though). The expertise of local hosting is doubtful as in the case of WebDev who are also the developers of the hacked herald site which they host. So I am sure they should have been knowledgeable about securing their site since they both developed and hosted it!

    1. how did you come to this conclusion webdev was responsible? Is it not possible like this article is saying that herald users got compromised and this hacker looked legit to the webdev server? Neither am i saying its not their fault. I like the neutrality of the author of this article because he is acknowledging the fact that its not one man’s responsibility to gurad against hacking

    2. Okay, let’s say the customer / developer abdicates all responsibility for securing their own site.

      When the site is hacked, whose brand suffers?

    3. Iwayafrica runs Php4, forces users to upload phpmyadmin 2.1.1, anything above that wont work, baiscally open door to db hacking. My 2 cents, dont use Iwayafrica…rubbish and stubborn!

  2. Thanks for highlighting  some of the  basic for web security. However, there is several conduits that  play a role in effective web security. These include the human, the code, the technological and environmental components. Zimbabwe is still locked in a wrong mentality of blaming each other but time is moving. Wish I had time I would write more about  Web Security.

  3. Iwayafrica shockingly only issues you with a a single username and password with read/write/drop privileges to your database. If you are building an application and you host with Iwayafrica, you are forced to upload the file with such senstive infor. In the case of this file being hacked, you can kiss your DB bye bye!
    Moreover IwayAfrica still uses php4 forcing clients to run phpmyadmin 2.1.1….the open door to even noob hackers.
    Wonder who is running IwayAfrica? Anyway my point is it doesnt matter what you do, if your hosting provider is rubbish, expect disasters

  4. There are many layers of security, each contributing to the overall security of your web app. Physical, OS Level, layers within that OS Level, web server application level, your web app level security. Each of these gets granular and needs to be addressed, depending on what is being served, whether it needs to be secure and to what level.

    You can practice secure coding in your webapp, guard against all vectors of attack, but if the Root password of the server is a dictionary word, then it is definitely vulnerable to attack. Most web hosting scenarion (esp. in Zim) have you at the mercy of the provider AT OS Level. If the provider is in any way lax in implementing security measures, your app is very vulnerable. Using that example, an intruder who wouldve compromised that web server AT OS Level will have the ultimate access that even the best web developer cannot prevent.

    Shared hosting scenarios are also a serious issue. If not properly implemented, you can find yourself or others crossing over and accessing other website files (I experienced this a while back and alerted the provider. Through FTP I could get out of my home directory and browse other user/website files….gasp, yeah.)

    Concerning iWayAfrica, I know they have PHP 5.x

  5. Working on a full on Article on the real aspects and points on securing your site from a Hackers perspective. If I get time I will email Kabweza something. Web security alone is a vast field I worked for a Pen testing company starting out and could share a few notes, and some of my friends will remember my interest in the security field from my teen days that led to my expulsion from High School.

    I will look to set up a real demo on a live server, If I can I will use joomla as much as I can.

    Will update you

Comments are closed.