Thinking your site is safe and knowing it is safe are two different things.

Hackers can easily get into any site that isn't protected. They can then access databases to find user information, steal files, or plant dubious files that will get your account taken off of you.

To ensure that the above doesn't happen, you need to keep your site as secure as possible.

If you think that databases and the relevant programming (PHP, ASP, etc) are secured, think again. Simple SQL injections, Cross-site scripting, exposed session data or session hijacking is but a few suggestions that hackers use.

Google Hacking.
Last December set a new foot-mark for all hackers everywhere. The Santy worm used Google to search the web for sites vulnerable to a particular form of attack. The attack was only minor and the only damage done was the text on a front page of the site being changed.. However, some 40,000+ sites were affected within...24 hours.

This is a daunting fact, as the worm could have easily been very serious. And who is to say the next one wont be.

The terrible news to all, is that anyone can search for vulnerabilities in sites. For example, enter inurl:"passwd.txt" at Google. This command returns an addresses that have passwd.txt in the URL.*

Don't Panic:
There are ways in which to help prevent hackers.
1) Don't use obvious file(s) and folder(s) names.
2) Use Gooscan from ihackstuff.com* to scan your site for various risks when searched for using Google.
3) Encrypt your coding.
4) The Google Hack Honeypot (ghh.sourceforge.net) pretends to be a vulnerable PHP application, but actually watches and records everything that an attacker does.

Overall: (adapted from a .NET article to suit.)
1) Check the log files of you site occasionally, to look for any attempted attacks. A decent log analyser might help.
2) Make sure that the permissions on your site folders are set correctly.
3) Site developers should make sure tha all input data is properly validated and anything isn't validated us deleted.
4) Turn all detailed error reporting offm if possible(set display_errors to 0 in PHP for instance).
5) Think about the file extensions on your server. Ue .inc for PHP included files, for instance.
6) If you want to portect a particular area of your site, then validate the user's login credentials every time.
7) Unexpected user input or actions can lead to application erors, giving away system information or casuing other problems.
8) Be careful about browser caching.

Finally, there are no real 100% methods of trying to stop hackers, but if the worst should happen, contact your webhost for further help.


--mik:P

Great post! I never knew that my site could be potentially so vulnerable to hackers.

This post reminds me of another form of website "hacking", namely people simply loading the source code of your website and copying it for their own uses, to make their own websites. All the scripts you've painstakingly coded is stolen so easily by others.

Also, on websites selling downloadable products such as ebooks, smart users can look at the source code and tell where the download page which should appear only after payment has been made, is found. Then they can just download the product for free.

I forgot to equal the *.

* = Attempt to do this at your own risk. All actions of this sort are IP recorded. It is also illegal.


--mik

Being very new to setting up a site, your information was EXCELLENT food for thought!

THANKY!

I dont think there is much a hacker can do to most of us other than mess up our sites. Unless ofcourse you have a bunch of vital information. A hacker wouldnt bother with my site lol

Another thing along these lines, although more for bandwidth thieves than hackers, is to have hotlink protection enabled....I went to check it out today, and found 5 myspace profiles direct linking to graphics from my websites! GA!

Oh wow, I can't believe these guys are doing this out of fun. I seriously hope these virus spreaders are warned or caught, because I don't want my sites to be down because of hackers and viruses finding the slightest opening to go thru and take control. There needs to be some great programs that can help.

heck yeah this is a great post... i need to do this... are there any extra steps i should take for a site made entirely in flash or does that make any kind of difference? i have the password protection enabled but im not sure if thats just for downloading or whatnot...

sweet, i can use that for my clans site.

I didn't realise google could do that, lucky I don't have a passwd.txt on my site, but wow, I never knew, nice guide Twitch!
I am going to take some of your suggestions into mind while I work on my forum software... Thanks you very much for the food for thought Twitch... There was actually another Santy worm a few minths back, the Perl Santy B...