Stop getting hacked 101
Hacking is on the increase. Whether they are making a political statement in response to government policies, redirecting your visitors to an affiliate website or just hacking you because they can its time to learn how they do it and what to do about it.
If your website doesn’t rewrite its urls then it will probably end in something like:
Urls’s like this are prone to SQL injection if you don’t validate the value of id on your page. If the variable id is only ever a number then you should make sure that it is a number before it hits your database.
Try adding this to your code:
$id = mysql_real_escape_string($_GET[“id”]);
The code “mysql_real_escape_string” will add backslashes to any characters that may be attempting to inject code into your web page. You will need a connection to a database to be active before running this code. For PHP versions 5.5 and above use: “mysqli_real_escape_string”,
Use this code for any variable passed to a page for processing including form variables, querystrings and session variables.
The secondary check validates the input to see if its numeric and then kills the page if it isn’t.
Easy to guess FTP password
Hackers have developed a number of tools that use words from dictionaries and commonly used phrases to guess your FTP password. These are done automatically by banks of infected computers. Once they get the right combination they are in and can not only get access to your website files but subsequently your database, hosting package and private files.
Choose a username and password combination that included Capital letters, numeric and non-alphanumeric character such as: T@234hrt/£ which makes guessing or generating this password almost impossible.
Unprotected Admin/CMS system
Ensure your website CMS is not public facing and hasn’t been indexed by Google. Use robots.txt to ensure the latter. Your admin system should employ a MD5 encryption which in itself is not bulletproof but is substantially better than a plain text password.
An additional security measure is to use a htaccess file to secure your admin folder with an additional username and password before even getting to see the login page. Again choose a difficult to guess username and password.
Been hacked? Check out our checklist of what to do next
- Find the source of infection! Has the site’s database been hacked or has code been added to the page?
- Remove the infection by cleansing the database of the infected code or backup from your last good copy
- Change your FTP and database passwords
- Change the username and password to your CMS
- Check your website logs to see if there is any references to the code that was injected and the page that was exploited
- If your site is hacked again order a security audit from a reputable company or call us on 0161 881 9711