Kristof Kovacs

Software architect, consultant

Is your website a liability?

Photo courtesy of kevallen

A few weeks ago I had a chat about the state of Internet security with a friend who runs a hosting company, and he told me that the majority of the websites they host are cracked. This is because people just install a forum/blog/gallery/etc software, but most have no idea that such installations have to be constantly "security patched". Then, sooner or later someone finds an exploitable bug in that particular engine, and then their website is used to send spam, facilitate phishing attacks, host viruses, or worse.

The so-called "script kiddies" facilitating these attacks are (A) teenaged kids who have watched too many hacker films or (B) cynical professionals working for spam lords. And although neither are good enough to write malicious code themselves, they can download ready-made tools from the Internet (batteries included), and just use search engines to find installations of a particular software. Try it for yourself. You can click here to start a search on Altavista that finds about 175.000 websites that run, for this example, PhpBB, a well-known forum software. (It's also interesting to note that Google and Bing both block queries like this. There's a reason for that.)

So how to avoid this fate for your website?

It's actually easy, just needs a little change of mentality. One has to accept that websites do have a maintenance cost, be that in time (if you do it yourself), or money (if you have it done by somebody). In CFO-speak, websites have OPEX besides CAPEX.

This is also the reason why your web developer's $75-$200 hosting and maintenance fee is not comparable to the $8 hosting plans you can find, because one contains monitoring, backup, and security patching your website, while the other is just renting some space on a $600 budget server with a $60 internet connection and share it with as much as 730 other websites.

So people, update your websites. Or delete them, if they are not used anymore. Do everything to avoid the embarrassment when someone visiting your corporate website gets transferred to a russian porn site, or gets alerted by his browser that the "website is not safe".

Bonus tip:

If you have the situation where your website "jumps" to some other site, go to your browser preferences, and disable JavaScript. This prevents "cross-site scripting" (XSS) attacks form working, and usually you can get to your site's administration area to delete the post or comment that has the malicious code. But keep in mind that they will come back to your site! So have someone take a look at it, and fix the security hole you have.

More information:

EXPLOIT ALERT: Reddit Attacked By Javascript Comment Bomb
New Bank Trojan Virus Steals Money
How to keep Wordpress secure