Site hacked ~ Check your Google cache NOW!

Get all customer transactions SSL (https) for sure. Make all input forms secure through captcha, submission limits, strict validation - client side AND then server side.
Make anonymous posting or commenting unavailable.

There is no way to say anything is 100% secure.

To tell you the truth, I feel exposed even using ftp or any sftp. That is a weak point that is probably easiest to exploit because keyloggers or anything can get stuff from your own computer way easier than hacking a well secured site, for sure.

But for the most part, I would say that a major responsibility for site security rests with your host and there isn't much you can do about that.

I am just presenting this stuff for discussion, I guess , because I have just recently started learning about forms and php security, LOL

Here is one I looked at on sitepoint: Top 7 PHP Security Blunders
and also: Toughen Forms' Security with an Image

There are lots of good articles in this devshed search:
http://www.igrep.com/search.php?searchphrase=security&ds=on

I think you have to be very careful with AJAX. You have to throttle the ability of someone (or something) to make repeated http requests that can overload a server (not so likely, but is possible)

Lastly, I found this a couple of weeks ago called Bad Behavior when looking for WordPress security.

I haven't installed it anywhere, but it looks very simple - you just put a php include into any php pages you want to protect, and it is designed for php in general, not just WP.
It is an ongoing project and they are keeping on top of things, however it is not perfect.
It is, however, and excellent look at many different ways to protect your site by analyzing http requests.

Mostly, make chmod permission tight, use .htaccess to protect directories and pages, and secure your forms!!

Just remembered: It is great if you can put serverside scripts into a directory above your root so that no matter what, they cannot be accessed directly. I don't know how they do it, but I have heard about crackers being able to read your php code. They can't get at it through web browser if it is outside of the 'html', public_html', 'htdocs' or whatever your root folder is called.

 

Just came across this thread and it is certainly worrying for all webmasters.

I always steer clear of cms for important sites so consider myself slightly less at risk (although I use phpmyadmin so maybe not). I remember the turkish hacker thing with forums where the owner had not installed the latest update.

This thread does remind me that shawn was going to write a more efficicent blogging software to beat WP - hopefully this may be a more secure version as well?

 

Like has been mentioned previously, I'm pretty confident that it was a security flaw in CubeCart, although I would love Shawn to knock a decent blogging app together...

 

In my experience if you put phpmyadmin in a password protected directory, using .htaccess or other method, then make it accessible only via an ssl connection and it helps block any attempts at it, as your credentials are then encrypted on login and the data you read/write is as well.

 

I had it set up in domain.com/phpmyadmin on one site, that is now changed to a random url.

A load of sites can be hacked at domain.com/admin, as tops30 said; changing file names is a good extra level of security.

Its the same as the amount of sites where you can visit domain.com/stats and see the stats!

 

Mad brings up a good point on the /admin folder

It if it redirected automatically to an ssl connection, non-standard port it should be fine.

Same with the stats directory, and the bad thing is in the case of Awstats (and others) that may have a vulnerability, that will open up the entire server as well.

 

is there an easy way to add googlebot to the user agent switcher? will just creating a new user agent work?

 

Go to Tools/User Agent Switcher/Options/Options, switch to User Agents tab, and fill in:
Description:Googlebot
User agent:Googlebot/2.1 ( http://www.googlebot.com/bot.html)

Not sure right now if that's completely correct but that's how it worked for me.

 

Otherwise known as COB, Cost of Business.

That's why banks have sysadmins.

 

I am clueless when it comes to server issues, but I am concerned, because a while ago I noticed a file in my root, I had never seen (or maybe just never noticed before)
The file is named phpinfo.php None of my other sites have this file in the root.
Is this something to be concerned about?
Probably has nothing to do with the issues being discussed, but I am not sure.

Sorry I am technically challenged when it comes to server issues, so I thought I would ask you experts.
Thanks for any advise
Scott

 

That's likely a utility to check for what PHP version is on the server.

Open the file. It should look like this:

<?php 
phpinfo(); 
?>

Code (markup):

It may be there because you have a forum or directory script installed on the site. If not, what PHP scripts or software are you using?

Alternatively, did you purchase this domain from someone else?

If none of the above implies, I suppose it's possible that someone put it there to look for an old PHP version to exploit but if they could get that far I'd expect you'd see other evidence of trespassing.

 

Thanks for the reply Minstrel.
The file seems to be a status report for everything to do with Php.
I may have installed this earlier when considering installing a forum.

Good catch, thanks