Site   Web

February 5, 2010

Are Your Websites Secure Or Is The Back Door Wide Open?

One of the topics that all of us online business people are aware of but usually don’t feel totally on top of is website security.

Coming from a background of having spent over 20 years in the U.S. military, and having spent four years as a software tester, I have a greater awareness of the need for continuous vigilance in this area than your average marketer.

I also know that you can never make your websites or your computers completely secure. Instead, you can only do things that reduce the risk.

Given that you spend a lot of time, money, and energy, building your online business, it only makes sense that you set aside time periodically to review security related issues, and to look for problems that can be easily minimized.

Here are a few easy “fixes” that you can implement today that will increase the security of your online business.

1) Delete outdated scripts that you no longer use from your server. Many of “the bad guys” have studied the exact same scripts that you use to power your websites, and they know where the backdoors and vulnerabilities are. They know exactly which file will allow them to create all kinds of havoc.

If you have old programs on your server that you are not using, simply delete them.

2) Update older scripts that you are using. Often, the reason that updates are released for a script IS to patch a vulnerability that the developer has become aware of.

YES, upgrading can seem time consuming, and it can be tempting to skip an update, and just wait for the next one. When you wake up one day and can’t access your server, or all of your websites have been defaced or erased, you’ll see the wisdom in ALWAYS keeping the scripts powering your websites completely updated.

If you are as non-techie as I am, you simply hire a trusted programmer to perform this task.

3) Change the default setting when installing scripts on your servers. Many scripts have default passwords, and default locations for critical directories that make these scripts work flawlessly. Since everyone obtaining a copy of these script have these settings, you probably want to change them, and you also may want to rename certain directories.

4) Secure your web logs. Many web hosts have a standard location for the website’s logs and statistics on each hosting account. The files that allow you to access, read, download, and manipulate this data often aren’t secured. At a minimum, password protect that directory.

The danger in someone readily accessing your logs is that they can see the names and paths of the files on your server, including your download pages and the file names of files that may actually be for sale products

There are not only people who search on your product name, looking for unsecured files – there are also people who enjoy posting those links on sites where this type of information is shared.

5) Put an index page in every directory on your server. If someone surfs to the domain name of one of the directories on your server, and there is no index page in that directory, they will get a directory tree… showing them all of the files in that directory, and allowing them to simply click in a given file name to access it.

Servers can be configured to prevent this, but for many people, the quickest and simplest way to protect their directories from prying eyes is to stick an index page in each directory.

6) Give your download pages hard to guess names. Don’t use urls like YourDomain.com/ProductName/download.html Instead you want to give download pages names comprised of a random sequence of letters and numbers, perhaps stick them in directories not even associated with a given product, or use a “download guard-type” script that gives each customer a unique download link and protects your files.

There are a lots of other things that you can do to easily close common holes in your website’s security. This article barely scrapes the surface, and is intended more to make you aware of the problem, and to get your thinking about it. Make regularly reading articles and reports on the topic a part of your education in how to operate a successful online business.


Willie Crawford has been operating an online business for 13 years and believes that too many online marketers simply pretend that problems with website security don’t exist. For a really eye-opening report on website security, get the recordings of an interview Willie did with a leading web security expert at: http://timic.org/CloseTheDoor

4 Responses to “Are Your Websites Secure Or Is The Back Door Wide Open?

    […] SiteProNews: Webmaster News & Resources » Blog Archive » Are Your Websites Secure Or Is The Back Door Wide Open? By depatty SiteProNews: Webmaster News & Resources » Blog Archive » Are Your Websites Secure Or Is The Ba…. […]

    avatar Jason Remillard says:

    Willie great report

    These are all very good basic, little things that it’s your website and ensure website security if all we also recommend as well as a daily Malware detection scan and a web vulnerability scanning at least monthly for each and every website.
    This helps to ensure that he did miss anything at least the scanner will let you know afterwards and preferably before this hackers realize it.

    Keep up the good work!

    http://www.sitesecuritymonitor.com

    avatar T says:

    Interesting but confusing post. Point 4 specifically.
    First of all, can you more clearly define “web log” and secondly, how do you check to see if it is secure in the first place?

    Great awareness article. Website security seems to one of those things that people ignore – until it happens to them.

    Then, you better drop everything because “my” website is the only one that matters.

    We’ve been seeing more “backdoors” on websites after they’ve been hacked.

    These backdoors are programs that hackers install on websites that allow the hacker to re-infect the website without ever needing a user account, or a an exploitable vulnerability.

    Sometimes these backdoors are .php files other times they’re .pl (Perl) files. The hackers keep changing their programs.

    Just thought I’d add my two cents in. Again, great article.

Submit a Comment

Your email address will not be published. Required fields are marked *






You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 4,190,773 bad guys.

css.php