February 5, 2010
One of the topics that all of us online business people are aware of but usually don’t feel totally on top of is website security.
Coming from a background of having spent over 20 years in the U.S. military, and having spent four years as a software tester, I have a greater awareness of the need for continuous vigilance in this area than your average marketer.
I also know that you can never make your websites or your computers completely secure. Instead, you can only do things that reduce the risk.
Given that you spend a lot of time, money, and energy, building your online business, it only makes sense that you set aside time periodically to review security related issues, and to look for problems that can be easily minimized.
Here are a few easy “fixes” that you can implement today that will increase the security of your online business.
1) Delete outdated scripts that you no longer use from your server. Many of “the bad guys” have studied the exact same scripts that you use to power your websites, and they know where the backdoors and vulnerabilities are. They know exactly which file will allow them to create all kinds of havoc.
If you have old programs on your server that you are not using, simply delete them.
2) Update older scripts that you are using. Often, the reason that updates are released for a script IS to patch a vulnerability that the developer has become aware of.
YES, upgrading can seem time consuming, and it can be tempting to skip an update, and just wait for the next one. When you wake up one day and can’t access your server, or all of your websites have been defaced or erased, you’ll see the wisdom in ALWAYS keeping the scripts powering your websites completely updated.
If you are as non-techie as I am, you simply hire a trusted programmer to perform this task.
3) Change the default setting when installing scripts on your servers. Many scripts have default passwords, and default locations for critical directories that make these scripts work flawlessly. Since everyone obtaining a copy of these script have these settings, you probably want to change them, and you also may want to rename certain directories.
4) Secure your web logs. Many web hosts have a standard location for the website’s logs and statistics on each hosting account. The files that allow you to access, read, download, and manipulate this data often aren’t secured. At a minimum, password protect that directory.
The danger in someone readily accessing your logs is that they can see the names and paths of the files on your server, including your download pages and the file names of files that may actually be for sale products 🙁
There are not only people who search on your product name, looking for unsecured files – there are also people who enjoy posting those links on sites where this type of information is shared.
5) Put an index page in every directory on your server. If someone surfs to the domain name of one of the directories on your server, and there is no index page in that directory, they will get a directory tree… showing them all of the files in that directory, and allowing them to simply click in a given file name to access it.
Servers can be configured to prevent this, but for many people, the quickest and simplest way to protect their directories from prying eyes is to stick an index page in each directory.
6) Give your download pages hard to guess names. Don’t use urls like YourDomain.com/ProductName/download.html Instead you want to give download pages names comprised of a random sequence of letters and numbers, perhaps stick them in directories not even associated with a given product, or use a “download guard-type” script that gives each customer a unique download link and protects your files.
There are a lots of other things that you can do to easily close common holes in your website’s security. This article barely scrapes the surface, and is intended more to make you aware of the problem, and to get your thinking about it. Make regularly reading articles and reports on the topic a part of your education in how to operate a successful online business.
Willie Crawford has been operating an online business for 13 years and believes that too many online marketers simply pretend that problems with website security don’t exist. For a really eye-opening report on website security, get the recordings of an interview Willie did with a leading web security expert at: http://timic.org/CloseTheDoor