I work for a web hosting company and one of the biggest issues we run into over and over again is customers who have their website (or their contact form) exploited by somebody. The exploiter defaces their site, uploads pages for a phishing scam to their server or uses the scripts on the server to send out massive amounts of spam. Eventually, the account or server gets suspended and the customer comes back saying that they did nothing and how come their server was shut down.

They are right, of course. They did nothing. That was part of the problem :) These days, when you host a site online, just putting up the pages (or uploading the scripts for the application framework that you’re using) and sitting back is not enough. You have to be ever vigilant if you don’t want some scumbag using your site to do something that you didn’t want. So let’s take the various aspects of site safety and consider what you can do to ensure that your site doesn’t fall prey to one of these attackers.

First off on the list is your standard contact form. Most people think that a contact form is safe as long as there is no place to enter the To: address. So they download any old contact form written in PHP, configure it, customize it and upload it to their server, safe in the certainty that the people use the form can only enter their own e-mail address and a brief message. However, what they don’t know is that if the contact form script does not do the proper validations, somebody can easily insert a ton of e-mail addresses into the message body itself and send out spam from your own server. This has resulted in many a legitimate IP getting blacklisted. This exploit is known as “Email Injection” and while I could probably go into details about how to do this kind of thing, I think it might be safer not to explain the methodology :) If you are writing your own contact form script, do some research into e-mail injection techniques and how you can prevent your script from falling victim to such an attack.

The next item on the list is script updates. Most web hosting services provide their customers with an easy way to install scripts such as WordPress, phpBB, Mambo etc. Most users, when presented with a one click install option, usually take advantage of these script install services. The problem is that most users either forget all about the installation or think that once the script is installed, that it somehow becomes self-maintaining :p This is where the trouble starts.

Most web applications are dynamic entities. People start using it and then somebody discovers a flaw or security hole. The developer tries to find a solution to the issue and comes out with a new version or a patch. If you simply install something and forget all about it, you will find that your application is soon out of date and that your server is vulnerable to an attack by a malicious individual because your brand spanking new installation of WordPress (or Movable Type or Mambo or whatever) is now full of security holes because you did not keep up with the updates.

Depending on how popular a script or application is, sometimes there will be a string of exploits and patches. While it might be troublesome to keep updating the stuff, you might find that it is more trouble to try to recover your data or to do damage control once somebody has hacked your server. Some application developers try to be proactive and let their users know when a security vulnerability is discovered or when a patch to a security issue is released. Some just depend on the user to visit their website often enough to know when something important happens. The bottom-line is that it is up to you to make sure that your server is secure. Nobody else is going to do it for you. So make sure that you keep up with the latest news about the scripts/applications that you install on your server and if there is a known vulnerability, update as fast as you can. If they keep finding new exploits in your favourite web app, you might want to consider switching to an alternative which might be a lot less hassle to upgrade and is hopefully more secure.

Depending on the level of access you have to your web server, there are a few other things that you can do to ensure that your site is safe – like using secure passwords and not using 1111 or 12345 as your password :p But basically, the if you watch out for the above two issues, you should be fairly safe and worry-free online.

Submit: