Hardening Accounts Against Compromise

Roughly 30,000 websites are hacked every day, with new threats emerging constantly. Here is a checklist you can use to lessen the odds of being hacked. If you have been hacked, or require additional security, check out our partnership with Sucuri.

1. Local Malware Check

Ensure that the computer that administers this account is trojan/malware free. Malware is commonly used to compromise passwords in cases such as this.
If unsure on which program to use to scan for malware, we have found the following programs to be effective:
- HouseCall: http://housecall.trendmicro.com/
- MBAM: http://www.malwarebytes.org/mbam.php
- Microsoft Security Essentials: http://www.microsoft.com/Security_Essentials/
- Spybot S&D: http://www.safer-networking.org/index2.html
- SUPERAntiSpyware: http://www.superantispyware.com/superantispyware.html
No one single anti-malware application will catch 100% of all malware on-the-wild, so scans with two or more reputable malware scanners is recommended.

2. Strong Passwords

Change all of your passwords associated with the account to strong passwords.
This may include but is not limited to:
- cPanel account password
- Sub FTP accounts passwords
- E-mail account passwords
- CMS installation passwords
- Data base passwords
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
Changing passwords periodically will help ensure that they do not remain stagnant and easy to crack with time. Each time you change your password the hacker must start over to try and guess your password. However, if the password remains the same the hacker has all the time they need to break your password.
Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication system software, particularly how frequently password guesses can be tested by an attacker and how securely information on user passwords is stored and transmitted.

3. CMS Installations Updates

Keep your CMS installations up to date on the latest version to ensure that you have the latest security patches installed.
We recommend enabling automatic updates.

4. Software Updates

Keep other software which you control up to date. This will help to ensure that you have the latest security patches installed.
We recommend enabling automatic updates where possible.

5. Off-site Backups

Maintain off-site backups which are not updated automatically to maintain a non-compromised version of your account.

6. Captchas

Ensure that you have strong captchas on all of your contact and form pages.
Here is some information on adding a captcha called ReCAPTCHA: https://www.google.com/recaptcha/intro/index.html

7. Input Sanitation

Ensure that your developer uses input sanitation to help prevent the injection or upload of malicious content.

8. Hide Indices

Hide indices of directories on the account to help prevent hackers from exploiting known files and folders on your account.
This should be done to prevent unintended public viewing of your account's files and folders when certain areas of your URL are visited by a person on the internet.

9. Proper File Permissions

Ensure that your files and folders have the correct permissions on them to prevent hackers from being able to execute malicious code with your content.
- Secure folder permissions - 755
- Secure file permissions - 644

10. Monitor E-mails

It is important to ensure that you keep up with e-mails from us so that you are aware of any upcoming changes or security issues that arise.

If you have any questions or concerns, please feel free to contact us.