Keep Your Site Administration Passwords Secure and Safe
Recently one of my client's web sites was hacked using a cracked password. We all need to be reminded from time to time how important it is to keep our user credentials secure. Fortunately the hacker did no damage to the site. Visitors to who cruised the official site were unaffected. The hacker parked malware infected pages on the server. The foreign pages attracted visitors interested in free software, cheap goods etc. Once the pages were discovered and removed all was good again. It could have been much worse. The foreign content could have been pornography or the hacker could have been much more malicious by destroying the site.
How did the hacker gain access?
Diagnosis showed one of the site's administration user accounts had been used to gain access as a super administrator and once in the hacker changed the site's configuration so that they could easily upload their malware infected content to the web site's server.
How should the web site be secured from unauthorized use?
- All user accounts should have "strong" passwords, ideally a random combination of letters, upper and lower case, numbers and special characters.
- Avoid passwords with names that can be found in a dictionary.
- Change the password as often as you can.
- Remove and unused user accounts, and downgrade the privileges of accounts that really don't need administrator or superadministrator roles.
The administration pages of a web site can be secured further by implementing features like master passwords, analogous to a PIN, or hiding the pages.