| Issue 142 | October 19th 2012 | Contact the Editor | How to Contribute |
|
| ||
|
Website Security, or The Importance of Being Updated
From time to time, as any service provider will tell you, we encounter problems that have to be solved. One of the ongoing issues for any hosting service provider is maintaining the security of the servers, and keeping them free of worms, viruses, phishing sites and hackers of all kinds. At the same time, we want to ensure that our users have as much freedom to acheive their goals as possible. After all, that's why you use on-rev - do do interesting and customized things. On a shared server this can be quite a challenge. If you have a dedicated server, and only you are using it, then the only actions that can lead to security holes are yours. On a shared server, every account that shares it provides a route for hackers to attempt to exploit. Naturally, we have lots of checks, firewalls, security, and ways to keep ill intentioned persons out, and equally naturally, I'm not going to talk about that here. However, there is one area that presents the most difficult challenge to us. Not to put a too fine a point on it -The User. Of course, the following does not describe any of our readers. Certainly not. Lets call this gentleman Joe. Joe has signed up for a hosting account. Passwords
If Joe doesn't set a password he can remember, but decides to stick with the one we provided or use a more secure one, of course, he writes it down. On a whiteboard maybe. Or a piece of paper stuck to his office desk. Mmm. Much better to use some kind of Password Manager to save passwords. Software Updates Now, he installs some great software. Wordpress is an excellent thing to run his blog. Joomla is a lovely content management system for websites. PHPbb is a nice free message board where he can host a forum. So far so good. At the time he installs them, they are naturally the latest version, and up to date by default. Now Joe sits back, and watches his website at work. Or rather, he doesn't. He goes on holiday, gets on with his day job, takes care of his family, and forgets all about his website. Six months later, he is astonished and dismayed to receive a phone call from us, his hosting provider. We're terribly sorry, but we've had to shut down his website, change his password and delete his bulletin board entirely. Why? Well, the website had been hacked via a backdoor in Wordpress and was hosting a worm which was sending out thousands of spam emails a day, and his bulletin board was so full of spam it was exceeding his available disk space, and bringing the server to a halt. Joomla was infiltrated by an SQL injection attack and his website has been rewritten for him by ill intentioned persons and is now running a phishing scam. Wordpress is indeed excellent software. But because it is so popular, it is also a hugely popular target for hackers. If you don't keep it up to date, and all its associated plugins, you risk being infiltrated by unpleasant worms and viruses, which invisibly lodge themselves deep in your website, and get to work without you having any idea of it. Likewise, if you don't update your Joomla, it can be vulnerable to the ever popular SQL injection, or XSS attacks. Often, it's not the Wordpress or Joomla install itself that causes the problem, but some third party addon that either has been badly written, is not maintained, or has not been updated when the main installation was updated. It's vital you check out any addons for your website before installing them, and treat them with the same attention to updates as the main software you are using. It's great to have a forum. But if you don't monitor it, delete spam, ban spammers, implement fixes and updates and generally manage it, it will get out of hand faster than you would believe possible. Not only does all this lead to the phone call from your hosting provider, it also has nasty consequences for everyone else on the server. If a particular server is identified as sending out spam, regardless of who does the sending, the whole server gets blacklisted by the various services that take it on themselves to block spam. Suddenly perfectly innocent users are getting emails bounced. Our server admins have to spend a considerable amount of time putting right the damage, delisting us, clearing space on the server, identifying and killing the worms, and generally getting everything running smoothly again. Even worse, phishing attacks risk the entire server being shut down by the ISP. Of course, we try to catch these events in the early stages (we usually become aware within minutes of an attack), before too much spam has been sent, or the server is badly affected, but it doesn't take long for a rogue script to send enough spam to get us blacklisted. I've singled out Wordpress and Joomla here because these installations have caused more problems than probably any other software on our servers, but the same principle applies to any website management software you install on the server. If you don't keep it up to date, you risk becoming vulnerable to hacks. The longer any given software is out there, the more likely it is to be hacked, so this type of software is patched and updated frequently to keep it secure. If you ignore that little nagging button that invites you to install the latest update, it's as dangerous as not updating the firewall on your computer, but the consequences are more widespread. It affects every other person hosted on your server, not just your own computer. So I'd like to close with a heartfelt plea from our Server Admins: If you have a hosting account, make sure you have a secure password, don't write it down somewhere obvious, and please, please, keep your software up to date!
| 
Tweet
|
As you are probably aware, we at RunRev run a hosting service, on which we have installed LiveCode Server for your convenience. If you want to know more about this you can visit 
