How Do Hackers Get In?

The most common ways that unauthorised persons gain access to your web site and/or hosting account are:

  • Weak Passwords – If you use simple, plain english passwords then you are an easy target.
  • Script vulnerabilities – These are generally ‘back doors’ that are caused by insecure programming code.

Passwords are entirely within your control. You can choose to use weak passwords or you can choose to use strong passwords. Many people use weak passwords because they want something that is easy to remember. If remembering passwords is a problem, then I would strongly suggest you use Roboform. Roboform can not only store all your passwords securely (they are encrypted when stored) but can also generate good, strong passwords for you at the click of a button. You can also easily back up the Roboform files that contain your username and passwords.

Script vulnerabilities are a lot more difficult to keep track of. New bugs and issues that allow unauthorised access are found each day in hundreds of different scripts and programs. In this case you should exercise due diligence. Do a search for the program name before you buy it and add ‘security problem’ in the search term … like ‘some_script security problem’. Taking a few minutes to check whether there are any known and/or makor security issues can save you a lot of stress in the long term. Most professional scripts and many open source scripts have regular updates and patches are often released to plug any known holes. It is in your interest to stay informed of these types of issues.


Strong Passwords – Your First Line Of Defense

The strength of your password has an enormous effect on the ability for others to ‘crack’ it. To understand why, we need to look at how most password cracking programs work.

The most common method is what is known as ‘brute force’ cracking. This involves continuously trying to log in (using automated software) with combinations of usernames and passwords in the hope of finding the correct combination. You would be surprised how many people don’t update or change default usernames and passwords when installing scripts or setting up servers. With brute force, the potential intruder will usually use a list of ‘well known’ passwords. These are generally common english words that people often use for their admin passwords. Words such as ‘password’, ‘secure’,’admin’ and a whole host of other common words. These lists that a cracker uses often contain thousands of possible passwords.

The best way to combat brute force attacks is to include capital letters as well as small letters, numbers, special characters and punctuation in the password. Your password should be at least 8 characters, but I’m inclined to make most of mine 12 characters long. This doesn’t provide 100% protection but it does change the time it would take to crack the password from hours or days .. to years. A password like wEo3;(Mk5u+ is going to take an awful long time to crack!

It also makes a lot of sense to change the username. Default usernames such as ‘admin’, ‘administrator’ and ‘superuser’ are very common. By changing this to something like ‘mikey201’ you are adding major improvement in the security of your server or application.