How are websites hacked to have their content defaced? How can I prevent such attacks on my website?
4th December 2012
There are countless ways in which a website could be defaced—way too many for a single Quora answer!
Here are a few off the top of my head:
- An unpatched operating system with vulnerabilities in system services (SSH daemons, web servers, other procceses). Defence is to make sure you keep your packages up to date and avoid running anything exotic that might not be actively maintained.
- XSS attacks. Make sure you have a deep understanding of what XSS is and how it works, and ideally use a template language that escapes output by default to help avoid the most obvious problems.
- SQL injection attacks. Make sure you use a library that paramaterises SQL queries and handles escaping correctly for you, NEVER append strings together to create a SQL statement.
- Sniffing your administrative username/password or even your authenticated cookie over an insecure WiFi network—make sure you only ever send those things over HTTPS.
- Brute force attacks on your administrative login screen—make sure you rate limit login attempts.
- Guessing your server’s SSH password (or your admin interface password)—use a one-time, random password stored securely in something like 1password and ideally don’t have SSH passwords at all, use SSH public-key authentication instead.
More recent articles
- Weeknotes: datasette-enrichments, datasette-comments, sqlite-chronicle - 8th December 2023
- Datasette Enrichments: a new plugin framework for augmenting your data - 1st December 2023
- llamafile is the new best way to run a LLM on your own computer - 29th November 2023
- Prompt injection explained, November 2023 edition - 27th November 2023
- I'm on the Newsroom Robots podcast, with thoughts on the OpenAI board - 25th November 2023
- Weeknotes: DevDay, GitHub Universe, OpenAI chaos - 22nd November 2023
- Deciphering clues in a news article to understand how it was reported - 22nd November 2023
- Exploring GPTs: ChatGPT in a trench coat? - 15th November 2023
- Financial sustainability for open source projects at GitHub Universe - 10th November 2023
- ospeak: a CLI tool for speaking text in the terminal via OpenAI - 7th November 2023