Quick security checklist for webmasters

• Check your server configuration.
  

Apache has some security configuration tips on their site and Microsoft has some tech center resources for IIS on theirs. Some of these tips include information on directory permissions, server side includes, authentication and encryption.

• Stay up-to-date with the latest software updates and patches.

A common pitfall for many webmasters is to install a forum or blog on their website and then forget about it. Much like taking your car in for a tune-up, it's important to make sure you have all the latest updates for any software program you have installed. Need some tips? Blogger Mark Blair has a few good ones, including making a list of all the software and plug-ins used for your website and keeping track of the version numbers and updates. He also suggests taking advantage of any feeds their websites may provide.

• Regularly keep an eye on your log files.
  

Making this a habit has many great benefits, one of which is added security. You might be surprised with what you find.

• Check your site for common vulnerabilities.
  

Avoid having directories with open permissions. This is almost like leaving the front door to your home wide open, with a door mat that reads "Come on in and help yourself!" Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities. Finally, choose good passwords. The Gmail support center has some good guidelines to follow, which can be helpful for choosing passwords in general.

• Be wary of third-party content providers.

If you're considering installing an application provided by a third party, such as a widget, counter, ad network, or webstat service, be sure to exercise due diligence. While there are lots of great third-party content on the web, it's also possible for providers to use these applications to push exploits, such as dangerous scripts, towards your visitors. Make sure the application is created by a reputable source. Do they have a legitimate website with support and contact information? Have other webmasters used the service?

• Try a Google site: search to see what's indexed.
  

This may seem a bit obvious, but it's commonly overlooked. It's always a good idea to do a sanity check and make sure things look normal. If you're not already familiar with the site: search operator, it's a way for you to restrict your search to a specific site. For example, the search site:googleblog.blogspot.com will only return results from the Official Google Blog.

• Use Google's Webmaster Tools.
  

They're free, and include all kinds of good stuff like a site status wizard and tools for managing how Googlebot crawls your site. Another nice feature is that if Google believes your site has been hacked to host malware, our webmaster console will show more detailed information, such as a sample of harmful URLs. Once you think the malware is removed, you then can request a reevaluation through Webmaster Tools.

• Use secure protocols.
  

SSH and SFTP should be used for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer. For this and many other useful tips, check out StopBadware.org's Tips for Cleaning and Securing Your Website.

• Read the Google Online Security Blog.

Here's some great content about online security and safety with pointers to lots of useful resources. It's a good one to add to your Google Reader feeds. :)

• Contact your hosting company for support.
  

Most hosting companies have helpful and responsive support groups. If you think something may be wrong, or you simply want to make sure you're in the know, visit their website or give 'em a call.

We hope you find these tips helpful. If you have some of your own tips you'd like to share, feel free to leave a comment below or start a discussion in the Google Webmaster Help group. Practice safe webmastering!

http://googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html

My site's been hacked - now what?

All right, you got hacked. It happens to many webmasters, even despite the hard work you devote to prevent this type of thing from happening. Prevention tips include keeping your site updated with the latest software and patches, creating an account with Google Webmaster ToolsQuick Security Checklist we posted last year.)

Remember that you're not alone—hacked sites are becoming increasingly common. Getting hacked can result in your site being infected with badware (more specifically malware, one type of badware). Take a look at StopBadware's recently released report on Trends in Badware 2007this postGoogle Online Security Blog which highlights the increasing number of search results containing a URL labeled as harmful. For even more in-depth technical reports on the analysis of web-based malware, see The Ghost in the Browser (pdf) and this technical report (pdf) on drive-by downloads. Read these, and you'll have a much better understanding of the scope of the problem. They also include some real examples for different types of malware.

The first step in any case should be to contact your hosting provider, if you have one. Often times they can handle most of the technical heavy lifting for you. Lots of webmasters use shared hosting, which can make it difficult to do some of the things listed below. Certain tips labeled with an asterisk (*) are cases in which webmasters using shared hosting will most likely require assistance from their hosting provider. In the case that you do have full control over your server, we recommend covering these four bases:

Getting your site off-line
to see what's being indexed, keeping tabs on your log files to make sure nothing fishy's going on, etc. (There's more information in the for a comprehensive analysis of threats and trends over the previous year. Check out on the

• Take your site off-line temporarily, at least until you know you've fixed things.*
• If you can't take it off-line, return a 503 status code to prevent it from being crawled.
• In the Webmaster Tools, use the URL removal tool to remove any hacked pages or URLs from search results that may have been added. This will prevent the hacked pages from being served to users.

Damage Assessment

• It's a good idea to figure out exactly what the hacker was after.
• Were they looking for sensitive information?
  
• Did they want to gain control of your site for other purposes?
  
• Look for any modified or uploaded files on your web server.
• Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc.
  
• Determine the scope of the problem—do you have other sites that may be affected?
  

Recovery

• The absolute best thing to do here is a complete reinstall of the OS from a trusted source. It's the only way to be completely sure you've removed everything the hacker may have done.*
  
• After a fresh re-installation, use the latest backup you have to restore your site. Don't forget to make sure the backup is clean and free of hacked content too.*
  
• Patch any software packages to the latest version. This includes things such as weblog platforms, content management systems, or any other type of third-party software installed.
  
• Change your passwords - https://www.google.com/accounts/PasswordHelp

Restoring your online presence

• Get your system back online.
  
• If you're a Webmaster Tools user, sign in to your account
  
• If your site was flagged as having malware, request a review to determine whether your site is clean
• If you used the URL removal tool on URLs which you do want in the index, request that Webmaster Tools re-include your content by revoking the removal.
  
• Keep an eye on things, as the hacker may try to return.

Answers to other questions you may be asking:

Q: Is it better to take my site off-line or use robots.txt to prevent it from being crawled?
A: Taking it off-line is a better way to go; this prevents any malware or badware from being served to users, and prevents hackers from further abusing the system.

Q: Once I've fixed my site, what's the fastest way to get re-crawled?
A: The best way, regardless of whether or not your site got hacked, is to follow the Webmaster Help Center guidelines.

Q: I've cleaned it up, but will Google penalize me if the hacker linked to any bad neighborhoods?
A: We'll try not to. We're pretty good at making sure good sites don't get penalized by actions of hackers and spammers. To be safe, completely remove any links the hackers may have added.

Q: What if this happened on my home machine?
A: All of the above still applies. You'll want to take extra care to clean it up; if you don't, it's likely the same thing will happen again. A complete re-install of the OS is ideal.

Additional resources you may find helpful:

• If your site's been flagged by Google as serving malware, we'll alert you when you visit Webmaster Tools.
  
• Don't forget about the Google Webmaster Help Group; it's full of extremely knowledgeable users, and Googlers as well. For a nice, on-topic example, check out this thread. There's also a Stop Badware group.
  
• Matt Cutts recently posted Three tips to protect your WordPress installation on his blog, and there are lots of great comments below the post as well.

Feel free to leave additional tips you have in the comments.


http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html