I have seen a thread here: http://forums.digitalpoint.com/showthread.php?t=2119260 in this thread the OP's site got hacked! Well, I am security specialist and I have the following points for everyone here: ** Keep your web application software updated (it’s not just for word press it’s for all) ** Keep them patched (when ever web application vendors track a bug, they issue a patch so make sure that you site is patched) ** Always use strong passwords (combination of letters + numbers + special characters) ** Keep an eye on your server logs (once in a month/week whenever you find some extra time) ** Change your passwords once in a while (don't keep on using the same password for years and years) most of us does this! ** Don't use common/easy to guess password for email/banking/financial websites ** Use a firewall (software) to make sure that no unwanted data in going in/out of your system without your permission ** Always update your antivirus software & run scans to make sure that your system is not infected with malware/spyware/other unwanted malicious programs ** Don’t download pirated software (because most of them are bind with a Trojan/stealer) ** Don’t save your passwords in browsers like I.E, Firefox, and Opera etc… (There are many password stealers out there that will easily steal passwords saved by browsers in common window locations) Just keep these simple things in mind and you will be safe!
If you have shared hosting learn about .htaccess it can be very powerful and helpful. If you have a vps or dedicated server you better take the time to learn about your os, control panel, firewall, etc. and as much security you can consume on a regular basis, or be willing to hire someone you can trust that knows how to do it for you.
"will be SAFER.*" Storing passwords is not insecure as long as you keep them on a keyring as they are encrypted. If a program just steals passwords from firefox/ie backend its a stupid program, when people have not stored their passwords they have to type them in every 5 seconds and guess what if a program can steal pwds it can definitely key log. Its not about just having shitty security software, its about trying to understand how its works. If a person doesn't understand the basic fundamentals of a firewall they may as well not have one. Good advice SSC , people need to know how to stay safe as it effects everyone like an EcoSystem, if people understood more about computer security botnets would be smaller= less spam, less fraud , less malware.
If passwords are stored then there is Stealer to take them out If you have to type it every time then again there is a danger of getting key-logged So, the solution would be: Start using firewalls, and keep an eye on incoming/outgoing traffic
LOL you have no idea what you are talking about, how will you take my passwords that are stored in an encrypted keychain.... (DSA 1024 encryption)? Keylogs will send outgoing and can just bind to a normal port, and with process injection the firewall has no idea. You expect people who have 100 unique passwords to remember everyone.
This whole thing was about using browsers to remember passwords I know that by using process injection firewalls can be fooled but again, only if the attacker is using process injection; what if he is not? and as per my knowledge you can't encrypt those passwords which are saved by browsers through DSA 1024 or any other encryption Can you?
also dont forget to keep your main files e.g config.php where it holds your database information to keep these files 744
Files with juicy information, example config.php/repair settings etc... already have read only access unless we make them 777 (read, write, execute) Most of the times we need to edit/change file permissions while installing modifications, it would be great to put them back to read only once the work has been done Read only permission make sure that no body can edit / change the important file
do you have a list of webhosts that are hack prone? I suspect my site was hacked because of folders created in my root but I don't created that folder..
I am afraid that there is no such 'Hack Proof' host exists on the planet!, i have heard about DDOS proof hosting but that's another thing So you think its your hosting fault?, may be those folders were created by the hacker?
Just to clarify one of the posts above mentioned keeping files at 744? No. Folders should be at 755 and files at 644. Often times config files can be at 444 or 400 - which is even better. Also, if you're using Joomla, subscribe to their Vulnerable Extensions list and check your plugins/extensions against that. I don't know if any other systems have that, but if they do, and you're using that system, subscribe to it. We see a lot of website infections due to vulnerable plugins, extensions, themes, etc.
I doubt it depends on the scenario & what you have pointed out can't be held true in all cases: 744: Only you can read, write to, or execute, Everybody can read 755: Only you can read, write to, or execute, Everybody can read and execute (so it depends whether you need to give execute permission to everyone or not) 644: Only you can read and write, Everybody can read only! (in this case you can't even execute your own file, so do it only if you are sure what you are doing) that's a good include... Good job!