Upgrades And Security

[bode]

I have been with Total choice for quite a few years and my recent site is 1.5 years old.

 

I would like to take some measures to secure my site and was wondering what is needed?

 

Do TC look after it all through automatic upgrades or is there any manual upgrades that are needed through CPanel?

 

I am concerened about possible spam hacks and where to look for and prevent them.

 

Thanks

[TCH-Bruce]

The operating system of the server you are on is maintained by TotalChoice. The contents of your site are your responsibility. Not knowing what is on your site it would be hard for someone to let you know if it needed updating or not. If you are using a content management system I'm sure there have been updates to it and they should be applied. If you are running any scripts they may or may not need updating.

 

There is nothing you can do to prevent spam. If you have a domain, you will get spam. You don't even need a domain to get spam, you can get spam just by having an email account (anywhere).

 

If you have concerns about your account you can open a ticket with the help desk and ask the techs to have a look.

[SteveW]

Is it a shared server?

 

As Bruce said, TCH takes care of updating things like the operating system versions, PHP versions, versions of the cPanel software itself, anything that is shared by all the sites on the server.

 

Within your site, you can do the following to be more secure:

 

1) Use strong, long random character, passwords, and use a different password in every location where a password is required.

 

2) If you use scripts like WordPress, SMF, Joomla, Coppermine, etc., keep yourself informed about when new versions are released, and always try to upgrade to the new version within 1 day of its release if possible. TCH-Thomas often posts announcements when new versions become available. You can subscribe to the subforum here where those posts are. (Sorry I don't remember exactly the name of the subforum, but you can find it easily from the main forum board list. It's under the general topic of security.) You can also check in cPanel > Fantastico for outdated versions of scripts that you installed using Fantastico. It alerts you about them. And you can go to the website that created the script and subscribe to their announcements, if they provide them. Another good place to look for any possible problems with scripts you use is http://secunia.com/advisories/search/.

 

3) If your pages are all plain HTML, you don't need to be concerned about coding security. They're safe. But if you write your own server side code (PHP, ASP, ASP.NET, etc.), you do need to be careful about security. Each language has lots of resources on the web for learning how to code securely in that language. Two of the most important things to guard against are "remote file inclusion" attacks and "SQL injection" attacks. Wikipedia is a good place to search for unfamiliar terms. I think it has something about both of those.

 

As for spam attacks, if you mean that you receive spam, there are some preventive measures for preventing that (but they basically all amount to things like "don't post your email address all over the web"). Once you're getting spam, there not much you can do to turn back the clock, but you can use filters, SpamAssassin, etc., to manage the quantity.

 

If you mean preventing anyone from using "contact forms" on your site to send spam to other people, the key there is to use a forms handler program that can't be exploited that way.

 

If you mean preventing anyone from really hacking your site and hijacking your website's SMTP server to send out spam robotically, then the solution is covered in #s 1, 2, 3 above. That is, those hacks usually result from a real server hack that was made possible by poor passwords, outdated script code, or exploitable user-written scripts.

[TCH-Thomas]

The subforum/section Steve refers to is the Software/Scripts/Other Alerts forum.

 

To subscribe to announcements made there, please click here, or visit the forum and click the "Subscribe to this forum" in the menu to the right.

[bode]

Thanks for the detailed answer. I guess I'll be fine as long as I update wordpress.

 

I read over on the google webmaster forums that someone had lost there serp position after a hack which left all sorts of malware and spam hidden on his site. I was hoping to prevent such cases as it would probably happen without being aware.

 

I do have a bot that visits my contact form each day and sends me a little bizarrely spelt spam message. I don't have email set up on my domain, but have a contact form which is sent to my gmail account. I'm assuming that this spam message will only be sent to my gmail account and not to everyone else.

[TCH-Bruce]

Which contact form plugin are you using? Check to be sure it's the latest version and/or find a suitable replacement that is hack proof. I switched to Easy Contact and have yet to receive any spam through it. It uses a simple challenge question before the user can submit so you'll be pretty sure the contents are coming from a human.

[TCH-Carl]

I read over on the google webmaster forums that someone had lost there serp position after a hack which left all sorts of malware and spam hidden on his site. I was hoping to prevent such cases as it would probably happen without being aware.

 

Backups, maintain regular backups !

[youneverknow]

Why should I have to retain backups? My site has not changed in 5 years. I thought that TCH did backups on a regular basis. If something happened to your servers couldn't you rebuild the server with the redundancy you have in place. Let me know if I am wrong about this...youneverknow

Edited January 16, 2009 by youneverknow

[TCH-Bruce]

First of all, your content is your responsibility. You really should be taking your own backups. If something catastrophic were to happen and the backups were unusable or unreliable that TCH makes your site would be gone. I'm not saying that will happen but essentially what I am saying is that if you value your work, make your own backups.

[TCH-Carl]

Let us say, your account got hacked and you came to know about it only after a few days. The backup that is on the server would have the same compromised files making it useless.