Here is a check list you can use to ensure that if a compromise happens we will offer cleaning and securing assistance. Please note that if a re-compromise happens and these responsibilities have not been met we may require that they be met before offering further cleaning and securing assistance.
1. Local Malware Check
- Ensure that the computer that administers this account is trojan/malware free. Malware is commonly used to compromise passwords in cases such as this.
- If unsure on which program to use to scan for malware, we have found the following programs to be effective:
- HouseCall: http://housecall.trendmicro.com/
- MBAM: http://www.malwarebytes.org/mbam.php
- Microsoft Security Essentials: http://www.microsoft.com/Security_Essentials/
- Spybot S&D: http://www.safer-networking.org/index2.html
- SUPERAntiSpyware: http://www.superantispyware.com/superantispyware.html
- No one single anti-malware application will catch 100% of all malware on-the-wild, so scans with two or more reputable malware scanners is recommended.
2. Strong Passwords
- Change all of your passwords associated with the account to strong passwords.
- This may include but is not limited to:
- cPanel account password
- Sub FTP accounts passwords
- E-mail account passwords
- CMS installation passwords
- Data base passwords
- Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
- Changing passwords periodically will help ensure that they do not remain stagnant and easy to crack with time. Each time you change your password the hacker must start over to try and guess your password. However, if the password remains the same the hacker has all the time they need to break your password.
- Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication system software, particularly how frequently password guesses can be tested by an attacker and how securely information on user passwords is stored and transmitted.
3. CMS Installations Updates
- Keep your CMS installations up to date on the latest version to ensure that you have the latest security patches installed.
- We recommend enabling automatic updates.
4. Software Updates
- Keep other software which you control up to date. This will help to ensure that you have the latest security patches installed.
- We recommend enabling automatic updates where possible.
5. Off-site Backups
- Maintain off-site backups which are not updated automatically to maintain a non-compromised version of your account.
- Ensure that you have strong captchas on all of your contact and form pages.
- Here is some information on adding a captcha called ReCAPTCHA: https://www.google.com/recaptcha/intro/index.html
7. Input Sanitation
- Ensure that your developer uses input sanitation to help prevent the injection or upload of malicious content.
8. Hide Indices
- Hide indices of directories on the account to help prevent hackers from exploiting known files and folders on your account.
- This should be done to prevent unintended public viewing of your account's files and folders when certain areas of your URL are visited by a person on the internet.
9. Proper File Permissions
- Ensure that your files and folders have the correct permissions on them to prevent hackers from being able to execute malicious code with your content.
- Secure folder permissions - 755
- Secure file permissions - 644
10. Monitor E-mails
- It is important to ensure that you keep up with e-mails from us so that you are aware of any upcoming changes or security issues that arise.
If you have any questions or concerns, please feel free to contact us.