What needs to be understood is that no one can achieve all the needed protection for a fully safe web site. Such a site is offline, on a powered-off web server in a closed and locked room in the basement.
On the other hand, several options are available to a perspective webmaster to own a web site that is reasonably safe from hackers. Software protection measures will be discussed separately.
- For now, let's focus on things that do not need special knowledge on the user's side.
- Use an off the shelf product for the web engine - preferably an open source one. These products are very fast to develop functionalities as well as to patch vulnerabilities simply because they are open to public scrutiny.
- Upon installation of the web engine, remove all installation scripts contained within it - they are an excellent back door into the engine!
- If database is needed for the engine to function, do not try to be the DBA yourself. Your hosting company has a DB server, as well as people being paid to make sure the DB server is as safe as possible.
- Just in case, have two different passwords for your database, one for the web engine to generate the web site pages, with as little priviledges as possible, and one administrative, whose password you should try not to keep in cleartext on the web site files. If this is not possible, follow the web engine's instructions on how to protect the files that contain this password.
- Have a backup of both the engine and the database, at most a week old. This enables you to land on your feet if your site is being compromised.
- Never upload or save any files other than what's needed for the functioning of the Web site. What's not there cannot be compromised!
- Ask the hosting company do deny directory listing on directories of your web site (if not set by default). For good measure, have an index (default) page in every directory.
- Have the web administrator pages hidden in obscurely named path different from the default path of the web engine, and make sure that NO links from the user accessible site have a link to the web administrator pages. As additional measure, change the default name of the login page for the web administration. This way, the attacker cannot use a crawler tool to find the admin page and will have to do a lot of guessing to find this interface.
- NEVER, under any circumstances keep personal or credit card information on the web site database or in the web site directory structure.
Tune in for Part 2 of Having a web site that is not that easy to hack, where we will be discussing the most common software vulnerabilities.