[nextpage title=”Introduction”]
If you have a website, a blog, or a forum, it is very important to audit its security, in order to prevent people from exploiting it. In the first part of this tutorial, we will cover basic information and procedures that every website owner should know. Check it out.
In order to look for vulnerabilities on your own website, you have to think like a hacker: what steps a hacker would do in order to exploit my website?
The first step is exploration, i.e., gathering some basic information about your system. That is what we are going to teach you today. The basic idea here is: the less information you give out “for free”, the better.
Let’s start by talking about your website’s control panel.
[nextpage title=”Location of the Control Panel”]
Most websites have a control panel where you can manage their contents. The major problem is that most website owners leave the control panel installed on its default location, for instance, https://www.yourwebsite.com/admin. The exact location may change, depending on the software you use. For example, WordPress uses /wp-admin, while vBulletin uses /admincp. If your website advertises the software it runs (a potential security risk we are going to cover in this tutorial), it is very easy for a hacker to research which is the default location of the control panel of the particular software you run on your website.
One of the first things a hacker will do is to check if your website’s control panel is placed on an obvious location. In Figure 1, we give you a real-life example of a famous website with this problem.
Figure 1: Website’s control panel installed on its default location
On the Internet, there are several websites with this problem, and it is very easy for a hacker to run a program that tries hundreds of passwords per hour to try to gain access to your control panel. Luckily, most website management programs have counter-measures to this kind of attack, but it is better not to count on that.
Therefore, it is mandatory for you to change the place where your website’s control panel is located. Keep in mind that, besides renaming the directory (folder) of the control panel, you most likely will also need to update the configuration file (config.php or similar) with the new location.
After changing the location of the control panel, just do not tell anyone about it, and do not list it anywhere, especially in the robots.txt file.
[nextpage title=”The Robots.txt File”]
The robots.txt file is a text file you should put in the root directory (folder) of your website (https://www.yourwebsite.com/robots.txt), telling search engines such as Google what to scan and what should not be scanned on your website. It is a good practice to configure this file.
However, some webmasters add the location of the control panel on the list of files not to be scanned by the search engine. Since the robots.txt file is public, anyone can open it to check if there is any unusual directory (folder) listed under “Disallow.”
Consider the real example presented in Figure 2. Why is the/Comment/NewComment directory listed under “Disallow?” That is definitely a place a hacker would open to see what is there. Opening this directory on this particular website produces the login screen shown in Figure 3. Bingo!
Figure 2: Robots.txt file
Figure 3: A login screen found through the robots.txt file
Therefore, you must not add the directory (folder) of your control panel in the robots.txt file.
[nextpage title=”Software Versions”]
Most website management programs advertise its name and version, usually at the bottom of the pages of your website, blog, or forum. This way, it is very easy for a hacker to look online if there is any known security flaw with the particular version of the software you use in order to exploit it, especially if you are running an older version. See an example in Figure 4.
Figure 4: Management software advertising its name and version
Scroll down your website and see if there is any information of the software you run and/or its versions. You must remove this information as soon as possible. The way this is done will depend on the program you use, and sometimes you will have to pay a fee to get a code that, once entered at your control panel, removes the message from your website.
[nextpage title=”Error Page”]
You have to configure your website to either redirect the user to its homepage or to show a custom error page when a user tries to load a non-existent page. Otherwise, most web servers will advertise its name and version. Knowing the name and version of the web server software, a hacker can look online for known security flaws with the software you are using and try to exploit them.
Simply try to load https://www.yourwebsite.com/asjgasja or any set of random characters as the name of a page and see what is displayed. In Figures 5 and 6, we give two examples of websites that are not correctly configured, and we could easily discover that the first one (Figure 5) is running nginx version 1.4.2, while the second one (Figure 6) is running Apache version 2.2.8.
Figure 5: Website without a custom error page displaying the name and version of the server software
Figure 6: Website without a custom error page displaying the name and version of the server software
The way this is fixed depends on the server software and whether you have full access to the server where your website is hosted or not. If you have full access to the webserver, you should edit the httpd.conf file, add the lines below , and restart Apache (assuming that you are using Apache, which is the most popular webserver software available).
ErrorDocument 403 https://www.yourwebsite.com
ErrorDocument 404 https://www.yourwebsite.com
If you do not have this kind of access, you should discuss this configuration with your hosting company.
[nextpage title=”Displaying Server Software Versions”]
For the reasons already explained (hacker searching for known security flaws on the software you are running), you should disable as much as you can the programs you have on your server from displaying their names and versions.
If you are running Apache, which is the most popular webserver software available, you can add an extra layer of security by editing its httpd.conf file and adding (do not forget to restart Apache afterwards):
ServerTokens Minimal
ServerSignature Off
These directives will make the server software not display its identity anymore in cases like the one explained in the previous page.
If your webserver is running an FTP server program (most likely, as it allows you to upload files to your server), you should verify whether or not it displays its name and version when you try to log in. Most FTP servers will allow you to change that.
For example, the default message displayed by ProFTPD is something like “220 ProFTPD 1.3.1 Server (Debian),” which not only displays its name and version, but also the name of the operating system (Debian).
However, if you edit the file proftpd.conf and add the lines shown in Figure 7, it will display only “220 FTP Server ready,” which is much better, as it does not give away the particulars of your system.
Figure 7: Configuration for ProFTPD not advertise itself
Of course this configuration is valid only for ProFTPD, and your server may be running a different program; we wanted to give you a real example and show you the kind of thing you must change on your server.
If you do not have full access to the webserver where you website is hosted, you should discuss these configurations with your hosting company.
[nextpage title=”Best Practices”]
Whenever you install or upgrade a web application, you must delete old files. For example, if you are running a forum and want to upgrade it to its latest version, the best procedure is to back up the old files and install the new files. (Here we are talking about the application files, such as PHP files, not your images and other files that you must maintain installed. You will also need to keep the old configuration file, i.e., config.php or similar, otherwise you will not be able to perform the upgrade.)
Oftentimes, the new version does not come with a particular file anymore, and you end up with an unused, outdated file inside your webserver. Later on, if a security flaw that affects the version of your old file is discovered, a hacker may exploit this particular file. And you will think your website is secure, as you are running a later version of the application, not the version with the security flaw.
Speaking of which, you should always keep all programs to their latest versions, especially if you manage your own servers. You should keep a spreadsheet with all programs you have installed, their versions, and their websites, and you should check at least once a week to see if there are new versions available.
Some developers allow you to subscribe to an announcement list, so you will receive an email whenever a new version is released. Some applications, such as WordPress, allow you to check for newer versions and update themselves from inside their control panel.
All tips in the world are not sufficient if you keep a login and password that are too obvious, or if you use the same login and password for all services at your website and/or server. The password must be different from the login, and you should not use a word that exists for it (i.e., a dictionary word), as there is a very common attack method called “dictionary attack,” where the hacker uses a program that automatically tries all words available in a dictionary as password. Passwords should be created with a combination of upper case letters, lower case letters, numbers, special symbols, and use at least eight characters.
Many people have trouble creating passwords based on these directions. A simple yet powerful tip is to create a password based on an existing word and then replace certain letters by symbols or numbers: “!” replaces “i,” “3” replaces “e,” “4” replaces “a,” “0” replaces “0” and so on. For example, assuming that you want to create a password based on the word “killerwasp,”it could be written as “K1ll3rW4sp.” It is very hard to break this password using standard hacking software and, at the same time, it is relatively easy to be memorized using the suggested method.
And don’t forget that you should not write your passwords on Post-It nor leave them near your computer, as anyone who has access to your workplace can easily copy them.