Archive for the ‘Web Site Sense’ Category

« Older Entries
Newer Entries »

Web Site Security: Basics for protecting your web site from unwanted modifications or hacking

Thursday, November 26th, 2009

The hardest part of maintaining an online presence is securing both you and your client’s content and information. Security is a 24x7x365 process, so do not follow this check list and figure your security is good and you no longer need to check your web site(s).

Here is a checklist for helping you to secure your web-based applications and forms.

Passwords and UserID:

  1. Do not use the same password and userid for all your databases and administrator logins. Create different userids and strong passwords (8 – 20 characters), then write them down and keep them in a safe place. Password generators are great for this function. DO NOT STORE THEM ON YOUR COMPUTER OR WEB SITE!
  2. FTP. Don’t use ftp unless you have to use this protocol. It is not secure and I can assure you that your ftp password and userid will be stored somewhere on a log file. If you need to use FTP, I recommend using the protocol, then immediately changing your FTP password. You may also want to change your userid at the same time.
  3. Do not use any passwords or userids you have created outside their scope. In other words, do not use a userid or password that you are using for an administrator role for registration on another blog. Not everyone will read this post and have their web sites secure.
  4. IF YOU HAVE THE SLIGHTEST FEELING THAT YOUR USERID AND OR PASSWORD HAS BEEN COMPROMISED – CHANGE THEM!!

Applications:

  1. Research any applications you are planning to deploy to ensure the application creators are maintaining security updates.
  2. Subscribe to any security forums, so you can keep abreast of any security issues before they become a problem on your web site.
  3. Backup the application in a “presine” state along with any databases after the installation. This backup becomes your baseline, so if everything else fails you can restore to your baseline.
  4. Install security plugins first. Once the security plugins are installed, make sure they are functioning properly. Now you want to backup the database and application to create a new baseline.
  5. Change as much as possible within the application to move away from default names. An example would be with the WordPress database. Every table starts with the prefix “wp_”, so change it to something else. Remove any accounts with a userid of “admin” or “admins”. This is the account every hacker will try first. Once again, perform a backup of your database and application to create a new benchmark.
  6. Limit Frill Plugins. Everyone would love to have the latest and greatest plugins available in the application; however, every plugin you install creates another security hole. Unless you need the plugin to generate revenue, leave it out of your application. If you install a plugin, you will need to backup both the application and database.
  7. Limit access to the backend of the application. Unless the user is going to be an author and write text for your blog, then why should you enable the ability to create accounts? Remember, everyone that has a account could potentially exploit a weekness in the software.
  8. Create .htaccess files to limit directory access. .htaccess files work with apache and are a minimal way to secure a directory.
  9. Perform updates as soon as they become available. I have found the best method for performing updates is to: read what the upgrade does for your application, disable all your plugins, backup the database (separate from the upgrade backup), peform the upgrade, reenable your plugins and backup the database and application.

Databases:

  1. Give your database a unique name and password. Do not name the database the same name as your application or web site. Remember to write the database name and password down for safe keeping.  Embedded within every web-based application is the database name and password, because the web-based application needs the ability to update, delete and add new records.
  2. Change the database port number. Everyone that has ever worked with MySQL knows that port 3306 is the default port. Changing the port number will make it more difficult for the “lazy sniffer” to gather information. Or if the database is on the same server as the application, use a socket connection.
  3. Limit Roles. It is very important to limit the roles of database users the bare minimum. Say you have a web site that is displaying content from an existing database, create a new userid and password that only has the scope to issue a “SELECT” statement from the database.
  4. Backup your database on a regular schedule. MySQL backups are in plain text, so you will need to keep these backups in a secure location.
  5. Take the time to go through your database tables and look for obvious field definition problems. If a field is listed as a “date” field, them make sure it is not defined as a text field. This can open a door for SQL insertion attacks.

Web Based Forms:

  1. Only include fields you absolutely require. If you do not require a phone number, then do not place the field on a form.
  2. Limit field sizes. Do not leave the “size” attribute of any form item unset.
  3. Validate data on both the front and back ends prior to email or database insertion.
  4. Place a hidden field on the form that only web_bots will see. When this field has anything in it, then throw the email or data away.
  5. Use a simple form of CAPTCHA. Remember, CAPTCHA is only trying to limit “non human” users and should not become an obstacle for your clients. A white background with black characters should be fine. Remember, a good percentage of web-users are blue-green color blind and old users may have trouble seeing the characters to enter.
  6. Use the POST method for sending data.
  7. Provide your users with SSL (secure socket layer), so their data will travel via a secure port (441).

I hope this information will help with your security efforts. Remember, security is a 24x7x365 activity. However, by taking care of the above mentioned items you can sleep a little easier at night.

Posted in E-Business Sense, Security, Web Site Sense | Comments Off on Web Site Security: Basics for protecting your web site from unwanted modifications or hacking

Inexpensive web site hosting for e-business success both now and in the future

Sunday, July 5th, 2009

The most important decision you will make in regard to e-business is hosting. Your hosting plan needs to be expandable, secure, and inexpensive. We have found that Jamida has provided us with all these features and more. We are able to host blogs, content management systems, web stores, and mobile web sites under the same hosting plan. We even set up Google Apps for a family with the purchase of a domain name.

Domain name registration is easy and secure. Jamida also provides easy installation and support of the software on our web sites. Check out Jamida at: Jamida’s Home Page.

Another major domain registar is “jamida.com.” Who also offers all the services a startup e-business requires to become profitable. Remember there are several steps you are required to make in order to become successful:

  1. Have a marketable idea.
  2. Obtain a registered domain name.
  3. Find a host for your web site.
  4. Be able to deploy and make changes easily and quickly to your web site.
  5. Not spend all your profits maintaining your web site.
  6. Obtain answers to your questions about hosting.

We have worked with “jamida.com” in the past and have experienced a low cost hosting service that provides excellent support. E-Business Juncture LLC has the technical ability to host our own web site; however, the costs we would incur do not warrant the expense. Let’s take a look at what we mean by expenses:

  1. Price of Server: In order to maintain a reliable web site on your premises you would have to pay for a reliable server with a service plan. Remember down-time is money. (Appx. cost: $2,500)
  2. Price of Bandwidth: If you think you can support a web site using simple DSL, think again. Many people do not realize it is not the downstream that matters, but the upstream in regard to web site hosting. Your upstream is the bandwidth your web site viewers have to download your web page into his or her web browser. (Appx. cost: $50 per month)
  3. Electrical and Environmental Considerations: Think again is you feel you can run a server on your home or appartment’s electricity. Many servers require more power than your circuits can provide. In addition you will need to purchase a UPS and a room air conditioner to maintain the humidity and temperature in the room. (Appx. cost: $30 – $50 per month electric)
  4. Security Concerns: You are responsible for your own security of the information on the server. Chances are you will be required to purchase special liability insurance.
  5. SSL Certificate: You will need to purchase a secure socket layer (SSL) certificate and install the certificate if you want to open a web store, because you need to insure the security of customer and payment information.
  6. Your Time: Yes, you will need to spend several hours each week performing maintenance and upgrades. So, instead of concentrating on your e-business you will be burning the midnight oil maintaining your server. Ask yourself this question, “When was the last time you cleaned up the hard drive on your PC or replaced a component?”

“jamida.com” takes care of all this for you for very reasonable costs. E-Business Juncture LLC currently hosts 12 domain names and web sites (including mobile web sites) under one hosting plan. We have purchased and deployed a SSL certificate to cover up to five domain names. We have also deployed free software provided with the hosting plan, like a web store, blog and content management system. We have also purchased all our products for the next 5 years.

All this and more cost us the price of bandwidth for one year!!

Tags: , , ,
Posted in E-Business Sense, Web Site Sense | Comments Off on Inexpensive web site hosting for e-business success both now and in the future

« Older Entries
Newer Entries »