When it comes to blogs and websites security, it's not always your programmer's mistake (though most of time it is), sometimes it's yours; and it's doubled when you are your own programmer.
Wordpress, Drupal and other platforms installations are secure but common mistakes come from the publisher's level, especially when you are a journalist on the fly publisher.
Considering security in general, it is a trade of Usability and Functionality. Too much ease-of-use and functionality kills security, where too much security kills them both.
You don't know your enemies, nor their skills, nor their resources; hacking techniques became so easy that unexperienced kids can hack you within 3 clicks - occasionally, hackers are hired to unethically hack other people, others hack just because they can. Are you afraid? 'guess you are or else you wouldn't have been reading this.
On the other hand, human hackers are not the ones who only attack you, Gauss White is a typical cyberespionnage example that targeted the Lebanese banking sector back in August 2012.
Here are the commonly met security mistakes/misconfiguration
1: You use FTP
It is the most common mistake webmasters commit and teach bloggers to use. FTP is a communication protocol that transmits your username and password in clear text => you password can be seen by hackers.
Hackers in your local network and coffee shops, hackers who break into your internet providers, your internet provider's IT, and network administrators at your company can easily see your passwords flying around as shows the WireShark screenshot below:
Fix (Level=Intermediate): Use FTPs or sFTP, it still works with FileZilla. This will encrypt your file upload and autentication password whenever logging in.
If sFTP is not enabled at your webserver ask for the hosting support's help - A webhosting that doesn't provide secure FTP doesn't care about your security and you should definitely migrate.
(don't forget to change your previously used FTP passwords)
2: You publish from coffee shops and shared networks
I have seen news reporters updating their blog from Starbucks and this is bad!
"Hey, I'm gonna hack you" is the sentence you'll never hear from a hacker. Hackers don't show their work and if you were browsing from a Coffee Shop, it becomes easy to transit your traffic through them using `man in the middle attack` and `sniff` your unencrypted traffic.
Hacking tools are evolving and reached smart phones platforms; DroidSheep and Pirni are best examples for Android and IOS packet sniffers. This is how your passwords look like from DroidSheep for Android from a coffee shop.
Fact: Droidsheep usually takes over the session, and gives you access to whatever you catch, but doesn't give out passwords
Fix (Level=Easy): Don't login to your blog from coffee shops or untrusted workstations.
3: You don't use encrypted channels to manage your content
#1 and #2 continued: HTTP is as weak as FTP; HTTP an unsecured protocol developed at the same level of awareness that created FTP. They are old and hacking wasn't taken into account at their time of conception.
Here is how your password looks like when you login without encryption:
Here is how your password looks like when you login without encryption:
Fix (Level=Easy): Always force HTTPs usage to login to administation panel, if HTTPs is not there ask your web hosting to provide it.
Self signed certificate are free and help you implement HTTPs, they are not authentic but will do the required job.
4: Your blog installation is not regularly updated
Security issues are discovered and fixed on daily basis and updating your modules/plugins is needed to defend against mass exploitation.
Fix (Level=Easy to Intermediate): Subscribe to your CMS mailing list for security bugs, and manually update your Wordpress/Drupal regularly with their Plugins and Modules.
Wordpress update: http://www.siteground.com/tutorials/wordpress/auto-update.htm
Drupal update: http://www.acquia.com/blog/updating-modules-and-themes-drupal-7
Drupal update: http://www.acquia.com/blog/updating-modules-and-themes-drupal-7
5: You don't backup your website
Depending on your usage rate, you might lose your contents if you don't regularly fully back up your site (database and files)
Fix (Level=Intermediate): Take a copy of your database and files - make sure the backup really works
6: You backup files on publically accessible directories
Backup files and database might contain your passwords in addition to other private information that eases access to unwanted pages of your blog. Keep only your needed files. (leaving index.php.old, database.db, mysite.zip is a bad habit)
Fix (Level=Easy): Download your backup files and delete them immediately from your server.
7: You leave your backups on the same server on the hosted blog
Presence of your backup files on the same server nullifies the backup concept, if your server got hacked - you will lose both the live and the backup data. In addition, those files if accessed by hackers might harm the security of your website.
Fix (Level=Easy): Download your backup files and delete them from the server.
8: You don't test your backups
If the backup process works doens't mean restoring data will surely do. Sometimes database dumps are not complete or hard to import, same for website files.
Fix (Level=Easy, costs time): Keep a local test environment to test your backups each time you execute one.
9: You save (s)FTP accounts in your client repository
Some (s)FTP clients store passwords unencrypted and in an easilly accessible manner (e.g.: exploring FileZilla sites.xml)
Fix (Level=Easy): Memorize your passwords don't save them anywhere (unless in a password vault)
10: You rely on security by obscurity
Security by obscurity is the act of hiding files and data considering they won't be discovered by anyone else but you.
Fix (Level=Easy): If you want to hide files, make sure they are not accessible or else delete them.
11: You don't logout when done editing
If your session was stolen while editing your blog, hackers may still be able to reuse it even if you completly closed your browser or simply the tab.
Fix (Level=Easy): Just click logout, it will kill your session to never be used again and btw, avoid the keep me logged in flag.
12: You save your password in the browser for future sluggish logins
We are all lazy by nature and browsers often tend to help us filling password fields whenever needed. This in not magic, passwords are stored somewhere out there - your computer whenever accessed, all your saved passwords can be easily accessed by a simple path typed in the URL bar, as seen below for Mozilla Firefox and Google Chrome.
In Chrome, just type in the url: chrome://settings/passwords
Fix (Level=Easy): Do not save passwords in your browser, in case you insist protect your browser's saved password by a password to prevent easy unauthorized access.
13: You keep the default predictable login URL to login for regular and administrator panel (/wp-admin and /wp-login.php)
Why giving hackers the easy way to login as administrator or the option to brute force your password? This task should be the hardest since a successful login as administrator give them full controls over the contents.
14: You use Weak/Predictable passwords
"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess" - XKCD
In addition, weak passwords such as "password,jesus,P@ssw0rd,12345...) are still used in this life, if you love your blog you wouldn't have put a simple password.
Fix (Level=Easy): Use complex passwords, longer is better in a way that can be memorized (e.g.: . Don't write it down on paper unless it will stored in a safe.
15: You reveal your login username in blog posts
Username disclosed as shown below:
Fix (Level=Intermediate): Do not disclose the username you use for login it might be used for brute force password, show a different user related value such as nickname or full name - remember our main goal is to make hackers' life harder.
16: You use your publically known email for password reset
If your login form was well protected, attackers might rely on workarounds to break into your blog such as your email to reset your password.
Fix (Level=Easy): Use an unknown email for password reset
17: Your login forms are susceptible to brute force attacks:
Brute force is the act of using all possible solutions to guess a certain password.
Fix (Level=Intermediate): Use a strong captcha (such as re-captcha) to shield against those attacks.
18: You never check your logs
Most of the time logs are left unchecked. They might reveal alot about your blog status such as failed logins, failed request...
Fix (Level=Easy): Perpetually check your logs at least every other day.
19: You allow user creation
User creation is sometimes left allowed where new unexpected blogposts pop up.
Fix (Level=Easy): Make sure user creation is disabled or needs administrator approval to become active.
20: You are using unsupported plugins and modules
When modules become unsupported means that there won't be any security fix whenever a vulnerability in the code was discovered.
Fix (Level=Easy): Perpetually check for
21: You don't enable cache on the server
Caching is the act of temporarily storing your rendered pages instead of rendering them for each request. This costs time and processing and helps hackers when it comes to DoS and DDoS.
Fix (Level=Easy): Enable cache for unauthenticated users.
22: You keep unused plugins and modules
Keeping unneeded plugins widens the attack surface whenever a plugin/modules was discovered to be vulnerable.
Fix (Level=Easy): Perpetually check your plugin usage and disable unneeded ones.
23: You downloaded your (s)FTP client from non legitimate sources
Here are some news from January 2014 reporting about a malformed FileZilla installation that steals connection details such as FTP passwords. https://blog.avast.com/2014/01/27/malformed-filezilla-ftp-client-with-login-stealer/
Fix (Level=Easy): Always download your FTP clients from legitimate sources
24: Don't panic
Being hacked is scary but remains a residual risk, EC Council (a world leader in IT security courses and ethical hacking) got hacked 3 times the last month, it shows that anybody can get hacked; remember when somebody p0wns your blog in the back, keep calm, relax and react accordingly but don't panic. You know where your logs are, where to reset all your passwords and trace back to the holes hackers used to penetrate you and close the heck down of them - learn to prevent.
Leave a comment!