The following is a guest post by StopTheHacker, a provider of website security services and a StopBadware Partner. Members from StopTheHacker are also active participants on StopBadware's community forum, BadwareBusters.org. They, and other experts on the forum, give webmasters advice on finding and getting rid of badware on websites that have been compromised.
Author: Anirban Banerjee, Co-founder at StopTheHacker
Contributor: Oliver Bock, Marketing Director at StopTheHacker
Thousands of websites are blacklisted on a daily basis. Many of these blacklisted websites are legitimate businesses, online portals, academic sites, entertainment outlets and more. the blacklisting often occurs as a result of the sites getting hacked and having malicious code injected without the permission of the websites' owners. In this article we provide some best practices to help website owners stay safe and stay off blacklists—like Google's Safe Browsing blacklist.
Why do sites end up on blacklists?
Malicious hackers and automated bots infect websites with malicious computer code (i.e., web malware). Security companies, search engines, browser manufacturers, and others will prevent or deter users from visiting these compromised sites in order to protect those sites' visitors. Hacked websites may also be used to launch spam and phishing campaigns. For example, a compromised site might try to convince Internet users to visit a fake banking page, buy pharmaceuticals, or something similar. This can cause sites to be blacklisted, too.
How do sites get hacked?
Websites can get hacked and compromised in many ways. Below are some of the primary methods.
- Poor choice of passwords. A lot of website owners use simple passwords. In a 2011 large-scale password analysis study, "123456" was found to be one of the most common passwords used. Choosing weak passwords leaves webmasters vulnerable to brute force attacks, where criminals try to log in using tools that try every easy-to-guess password.
- Insecure FTP connections. Many sites are infected after the FTP password and username are sniffed by a silent Trojan/rootkit that has been installed on the computer of a website administrator. Once a username and password are obtained, they're automatically passed on to a master controller (e.g., through an IRC chat room). This malicious actor accesses the website and infects the site with malware.
- Web application vulnerabilities. A lot of websites use Web 2.0 functionality in order to create a rich experience for users. This functionality takes many forms: posting comments (on blogs or Facebook, for example), signing up for newsletters, filling out support forms, and live chatting with others, to name a few. The applications that make these rich functionalities possible can all be avenues for malicious code injection, especially if they are not kept up to date.
- Third party add-ons. Third party add-ons for websites have become extremely popular for their ability to provide more interesting site functionality. Add-ons can offer functions like dynamic IP geolocation, image resizing, and much more. These third party pieces of code may harbor vulnerabilities that the original website owner may not even be aware of. Many webmasters might not realize that third party add-ons need to be updated in addition to software like WordPress or Joomla.
- Server level vulnerabilities. A large number of web servers on the Internet run vulnerable software, such as easily hackable FTP software. Sometimes, even though website and server administrators know about vulnerabilities in the server software, they forget to patch these security holes—leaving them vulnerable to hacks. These issues are primarily related to server setup and configuration. Improper permissions settings can give malicious hackers access to files they shouldn't be able to get to.
Essential tips to protect your website:
- Never store credentials, like your FTP password, on your local PC.
- Use strong passwords and try to set up difficult-to-guess usernames (such as "av21bx" instead of "Alex").
- If you use FTP, consider switching to a more secure solution, like ssh/SCP/SFTP.
- Make sure to check your website frequently for web application vulnerabilities and malicious code. Vigilance can protect your visitors.
- Install only reputable plugins. Make a list of all third party plugins you use, and be sure to update them regularly. Both the software you use to run your website and all your plugins should be kept current!
- Set appropriate file permissions on your web server.
- Make sure you regularly scan your local PC with at least one, and preferably more than one, antivirus engine. Antivirus software for your PC won't detect website infections, but using an infected local machine can cause a website to become infected, so it's important to protect your PC, too!