If you had to choose one (or a handful) of things a small business website could do to prevent hacking, downtime, etc, what would you recommend?
an application firewall/IDS. Not the best way to get rid of problems (it has it's downsides), but the least technical. For apache I'd recommend mod_security since it's free and decent. For IIS find a good commercial product.
My vote is for mod_security if you are running Apache. Other things to consider . . . - review your web server logs each day or setup an automated alert based on pattern matching specific error messages, that way you can respond quickly when something or someone appears to be causing a problem - make regular backups of your data, keep the backup files at another location, and randomly restore an individual file to make sure the backups are valid - use SSL certificates (HTTPS) on form pages, even a shared SSL cert is better than nothing, otherwise everything is transmitted in cleartext for all to see, kind of like a postcard sent using snail mail - use Javascript or PHP to sanitize all input fields, leave nothing to chance, if you are asking for numbers then actually check to be sure only numbers were typed in, you want to validate the data and make sure nothing else gets through like SQL injection, db commands, XSS, iframe, and so on - use SSH (jailed root, secure shell) to connect to your web server instead of FTP or telnet, otherwise everything you type could be intercepted by someone else on the network connection between you and the web server, for example passwords and other confidential data - talk to your web hosting company or use open source tools or contract out to a professional and scan your server, files, accounts, and database for vulnerabilities, then take those recommendations and apply the correct patches and updates - study up on .htaccess for Apache and use it in combination with a web application firewall like mod_security, a quick and common sense method to halt a lot of attacks is to simply block all IP addresses of countries you do not intend to do business with, and only allow a specific range of IP addresses in the locations of your choice That's a handful, but there's more you can do. And the good news is a lot of your efforts could be free if you use the right software configurations. It would only require your time and patience.
Hire someone to audit your website, if you don't know what you're doing you will probably get hacked.
Umm .. if you need to secure your data's of your websites from other's then you must go with some security software that will make your information private with a password that will further prevent stealing or hacking down.. what you say ?
Well I think that I have mentioned you before how to secure your data's from theft's .. but I didn't mentioned which software will you use....it's Desksense.com you can either go to their website or else search in google for it .. you'll get the all Hope this info help
went to that site and just didn't understand it. I guess once I get everything up and running smoothly ill probably have to hire someone to make sure everything is secure
Really depends on how your server's setup and what sort of attacks you're expecting. On a glimpse i'd go with the hardened php project (suhosin patch), basic nix administration (disabling unused services, setting ssh to use keys etc etc) and try to minimize the risk within the application (controlling user priviledges, uploads etc etc).
It depends. If you plan to host your server, you should only to choose a trustable hosting provider. Then you just need some guy to do a daily maintenance. Of course,you can hire some competent guy to manage the server if you don't want to host it. Then you just put all the things to the guy, but accordingly,you should pay a high wage.
mod-security, never save credit card/financial information in your website, encrypt user password with sha1/md5 salt, never use same password, always check script for vulnerability information from site like milw0rm.com, use updated script, send backup every day/half day, try to use popular open source script (at least you got friend if your site hacked ), never collect your account password in one place in txt/xls/google doc, check access control for every path in your website, use strong password(8characters length, a-zA-Z0-9&@*#&$^space), change password every 6 months, use different email address for different things (1 for domain registration, 1 for hosting registration, 1 for family, 1 for paypal), use updated antivirus & antispyware, only use original software(usually cracker spread botnet in warez site), use security policy for your organization/company (like only accept doc/pdf/xls from email attachment), use firewall block every port from external access except port 80, never expose mysql/db port to public, if you need port other than 80 and 443 use non default port number (666 for SSH or 69 for ftp), modify your script so it doesn't reveal scripts banner(remove powered by text, change apache/ftp banner, use modified url), use SSL, SSH or SFTP, don't expose internal API to external user, use captcha / auto banned on failed login to prevent brute force, check every input from user is it properly sanitized, define correct procedure to handle problem/communication (prevent social engineering) and a lot of more
1. Use strong password for your different accounts - make it a variation on a phrase go crazy use 10+ characters and mix it up with caps, numbers and punctuation. Do not reuse passwords between other sites and your web server. Do not reuse passwords between your hosting account and your content management login. It is likely that one of your accounts will be compromised some time, somewhere - if you have the same password everywhere - you have given away the keys to the kingdom. You may have a super secure server but if you visit a forum somewhere else and they get hit - and you have used the same password..... I think you get the picture.... 2. Have a reliable host. This will provide you with a good base level of security and of course your need for reliability / uptime.
The answer to the original question is really a book of details! I cannot agree more; if you are unsure of how to secure your website you should hire someone to audit it for you.
* take regular backup of your data and databases * Keep well secured admin username and passwords for your site (chracters, numbers, symbols, and lengthy strings; applies for both username and password) * secured username and passwords for your cPanel, FTP, Emails, etc.