5 Common Server Security Mistakes

Web servers are a prime target for hackers, and running a site requires a certain amount of vigilance.

If you have a managed hosting solution, much of the security work is handled for you. 

But there are still some security blunders to avoid.

1. File Permissions

If you install scripts on your server, you probably have to set permissions on some folders.

This is usually done using the CHMOD command in an FTP program.

Sometimes, getting the settings right can be tricky. In a fit of frustration, we’ve all set our folders to the most permissive setting, 777.

This allows hackers easy access. Don’t do it.

Most servers have good default permissions so they should only be changed if absolutely necessary.

2. Wildcard Indexing

Most Web sites have a folder where they keep their images, audio or other non-Web page files. But what happens when you visit the root of the directory (IE: yourdomain.com/pics/)?

If you get a server error (either 403 or 404) you are in good shape. If you see a list of the files in that directory, you’re potentially opening up the server to leeching, hotlinking and even exposing more of your directory tree.

For those folders, turn off indexing by either editing your .htaccess file, adding a file named “index.html” or, if use cPanel, use the Index Manager to disable indexing for that folder.

3. Out of Date Software

You’re responsible for keeping the applications you install up to date.

If you can’t do this, you’re exposing your site to a variety of attacks: database injection attacks, password hacks and more.

Update your software regularly. If WordPress is telling you it’s out of date, do something about it.

4. Backups

Any number of disasters can strike your server at any time, wiping out your data. Having your own backups is important; relying on your host is never a good idea.

If you run a database-driven site (eg, WordPress blog), much of your site content can be backed up using a plugin or an easy database dump.

For other sites, backing up is as simple and easy as logging in via FTP and downloading everything to a folder on your hard drive.

5. Bad Passwords

If someone can guess your password, no amount of security software can protect you.

Hackers routinely use dictionary attacks to guess the passwords of various sites.

Your password should be over 8 characters long, contain a mixture of letters, caps, numbers and symbols. Your password should be easily remembered by you, but not easily guessed by anyone else.

If you need any help making a good password, visit Gibson Research Company’s Password Generator and copy a section of characters from one of their randomly-generated text strings.

Securing Yourself

Basic security is straightforward. While there is no such thing as a completely secure server, the basic steps required to avoid becoming an easy target are simple enough. There’s no excuse: do your bit and improve your security.

Claire Broadley

Claire is a freelance writer. She works with us through Red Robot Media, which she runs along with her associate Mathew Dixon. In addition, Claire is an accomplished musician who has toured the world with her band Printed Circuit. She lives in the United Kingdom.