Jump to content

What security measure should you take if you run a web site/forum?


Ram8349

Recommended Posts

Since I've been hearing people saying their forums are hacked, I've been wondering...

 

 

So I also run a web site with a forum. It is hosted by Hostgator.

Is it safer just because the host is a big name company with good rating?

 

Should I be concerned and take some kind of precaution? Or should I just leave the security to Hostgator?

Link to comment
Share on other sites

  • Make sure your password is unique and not written down anywhere. You should make sure that it includes a random mix of number, letters including caps and symbols. Over 6 characets should do it.
  • Make sure your hosting account has notifications set up for logins.
  • Make sure your hosting account email and password is secure and unique.
  • Make sure your permissions are set up correctly
  • Make sure you check your logs often.

Other then that you should be safe. Really if your not hosting credit card details then you should be fine.

Link to comment
Share on other sites

That reminder about the passwords cannot be over-emphasized. I make it a mandatory rule for myself that my password must include:

 

1. Upper case and lower case letters

2. Numbers

3. Special characters.

 

Also my password must be something that I can remember very easily. Nothing is more frustrating than being locked out of your own site because you have fumbled the password.

 

Of course, the server must be set to notify you immediately when someone logs in even if that someone is yourself. I also have a couple of other third-party monitoring services to keep an eye on unusual activity on my server.

 

On top of that, make it a point to be on good terms with everyone as far as possible. With the best security measures in place, if you have a very determined hacker, or worse yet a very determined and very aggressive group of hackers, your site is going to be hacked, sooner or later.

Link to comment
Share on other sites

Are you guys all suggesting that hacked forums all had someone somehow "guessed" the administration password?

Is that the only way to be hacked?

 

Does the Host (Hostgator in this case) have their own counter-measure against the hackers and to protect their customers?

Link to comment
Share on other sites

Are you guys all suggesting that hacked forums all had someone somehow "guessed" the administration password?

Is that the only way to be hacked?

 

Does the Host (Hostgator in this case) have their own counter-measure against the hackers and to protect their customers?

 

That's one way. It's probably one of the easiest way, too, because some people have absolutely no idea what to do with a password. Plus many people who are forum owners also have Facebook accounts where anyone who bothers to look it up will find personal information which is very likely to be used in the password.

Link to comment
Share on other sites

One that people have not yet mentioned which is usually the main source of hacking when it comes to forums and other cms software is "ALWAYS run the latest version or your software". This is one of the primary reasons people get their forums hacked as they are not fixing their security issues when informed of them. Upgrades should be done as soon as you can and security patches should be done as soon as you find out about them.

Link to comment
Share on other sites

One that people have not yet mentioned which is usually the main source of hacking when it comes to forums and other cms software is "ALWAYS run the latest version or your software". This is one of the primary reasons people get their forums hacked as they are not fixing their security issues when informed of them. Upgrades should be done as soon as you can and security patches should be done as soon as you find out about them.

 

Do you think when a new security patch is announced, it actually put the older version on greater risk by announcing the security hole to everyone?

Link to comment
Share on other sites

Do you think when a new security patch is announced, it actually put the older version on greater risk by announcing the security hole to everyone?

 

I have often thought that yes.

Link to comment
Share on other sites

Are you guys all suggesting that hacked forums all had someone somehow "guessed" the administration password?

Is that the only way to be hacked?

 

Does the Host (Hostgator in this case) have their own counter-measure against the hackers and to protect their customers?

 

Sometimes, that can happen from a guess (very rare).

 

But more often than not, cracked admin passwords come from brute force attacks. Which is why it's important to have an extremely varied password and/or change it daily.

Link to comment
Share on other sites

Basic Intro To Hacking:

There are 3 main steps into hacking starting with the easiest to the hardest.

  1. Guessing.
    Easiest way to hack someone's password is to guess. Sounds stupid but it's true. Most people use silly stupid passwords like password, name of children or birthplace. This is where you also try the normal passwords.
  2. Asking Them
    Again stupid; you could just outright ask someone for the password. You would be surprised about how many people are willing to give you there password. Sometimes it is just asking straight away, or needing it for a reason.
  3. Brute Force
    The old start with a,b,c... then aa,ab,ac... the... I am sure you get it. This is why we stop people from just filling out the login form.

It is easier to do with phones/alarm codes:

  1. First, 1234 1111 2222 3333 4444 5555 6666 7777 8888 9999 0000
  2. Second there DOB, children's birthdays , anniversary. Simple stuff like that.
  3. Third; 1111, 1112, 1113, 1114...

The idea is that with the more possibilities combinations then the harder it is to guess.

 

If you only allow 4 numbers 0-9 then that leads to 9 different conbinats 4 times. Thats 94. That is 6561 different combinations.

 

Still think your alarm is keeping you safe?

Link to comment
Share on other sites

Guys i think he's talking about his sites safety and not his password.. although his password does hvae alot to do with his sites safety :P

Because if they hack into your account.. They have alot of access.

Everything should be good on your hosts side though.. But take general backups

Link to comment
Share on other sites

Guys i think he's talking about his sites safety and not his password.. although his password does hvae alot to do with his sites safety :P

Because if they hack into your account.. They have alot of access.

Everything should be good on your hosts side though.. But take general backups

 

If they have certain passwords they will have FULL access let alone a lot LOL .. And thats the ultimate security risk. Most sites get hacked not by clever people, but by users who dont think of the simple things :)

Link to comment
Share on other sites

Just keep in mind, the site is only as secure as the server it's on. If the company hosting it doesn't secure their servers properly, anything on those servers is vulnerable.

 

And that my friend is why I run my own LOL

Link to comment
Share on other sites

Just keep in mind, the site is only as secure as the server it's on. If the company hosting it doesn't secure their servers properly, anything on those servers is vulnerable.

 

 

This is an extremely good point. And one that usually goes overlooked by everyone trying to sure up their sites. There are those times that they can only do so much in terms of security and they're left up to the fates with the company's sever.

Link to comment
Share on other sites

I don't particuarly like "big hosts". The support is never usually dedicated and the servers are usually slow and overcrowded. I've had sites hosted with HostGator and it hasn't been overly impressive.

 

As for security:

- Set up .htaccess and .htpasswd where possible (if possible)

- Don't use the same admin account password anywhere else

- Change your MySQL database password frequently

- Run scans of your hosting account with tools such as ClamAV (if your host offer it)

- Make sure you're using the correct CHMOD permissions as given by the vendor of the software.

- Don't promote people to staff just so they join your forum.

 

Link to comment
Share on other sites

I don't particuarly like "big hosts". The support is never usually dedicated and the servers are usually slow and overcrowded. I've had sites hosted with HostGator and it hasn't been overly impressive.

 

As for security:

- Set up .htaccess and .htpasswd where possible (if possible)

- Don't use the same admin account password anywhere else

- Change your MySQL database password frequently

- Run scans of your hosting account with tools such as ClamAV (if your host offer it)

- Make sure you're using the correct CHMOD permissions as given by the vendor of the software.

- Don't promote people to staff just so they join your forum.

 

Depends on what you are buying. If your getting an unmanaged box who needs the support LOL

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...