If you're using WordPress as your favorite open source blogging platform, chances are pretty high you've already heard about the recent security flaw found in the TimThumb plugin fow WP. If you haven't - you should, cause it's pretty severe. Here is more info on that:
The security flaw isn't a core WordPress vulnerability, so you won't be vulnerable for just using WordPress. However, the bad news is that a pretty big number of themes out there use the TimThumb plugin in order to operate correctly and therefore TimThumb is included in a lot of WordPress plugins and themes, both free and paid. The result is that there is a good chance you might have the vulnerable TimThumb installed and running on your WordPress even if you don't really know about it or you don't care.
I’ve always wanted to express how I feel about security in the shared web space, where dozens of users divide the same resources and at the same time require dramatically different technologies to be enabled on a single host server (such as different PHP engines with different options enabled, Perl, Python, an FTP service, an email service, a Database service, etc;). In case you’re an admin, you’ll know how difficult it is to provide all of that on a shared hosting server while allowing access to practically everybody on the Internet and at the same time maintaining a very good level of security. Believe me, it’s a tough job. I know it as I’ve been dealing with that for more than 8 years in a row now, on a daily basis.
As probably most of you know, osCommerce is a shopping cart application for creating and managing online stores. It is very widely used and has many implementations and variations. Many popular shopping cart applications like OscMax, ZenCart, CreLoaded, etc. are actually based on osCommerce and use its code.
Unfortunately, for quite a while now, there has been a known vulnerability in the osCommerce code and the code of the applications based on it through which a hacker can exploit the admin area and take malicious actions. Although on the osCommerce official website there is some information how the problem can be avoided (http://svn.oscommerce.com/jira/browse/OSC-1069), the vulnerability has not been fixed yet in the latest osCommerce release and with each new download and installation of a related shopping cart software, new people and online stores become potential targets.
When there is a vulnerability in such a popular application and many sites are at risk, we at SiteGround do not believe in the approach: “let each user find and apply the bug fix him/herself”. First, most of the users understand about the issue only after they are already affected. Second, many of them are unable to apply the fix themselves. To protect our customers from hacker attacks, some of our best technical experts investigated the problem in details and applied a global solution to all potentially vulnerable customers' applications.
The results from our osCommerce patch operation are:
the osCommerce package available for installation through Fantastico has been patched so that the new installations are not vulnerable to the exploit;
all future transfer clients with osCommerce-based websites will get the vulnerability fix as part of the website transfer service we provide;
We are proud that once again SiteGround has provided a security service high above the standard level for a shared hosting company. Our knowledge and reaction in situations like these make us believe that we do provide the best osCommerce hosting.
Needless to say, website security is a major concern for all people in the IT industry. Indeed, web applications are constantly being improved and security is something all web developers pay special attention to. Alas, hackers are not slacking off either. When known security vulnerability is fixed, they either find another way to exploit it or discover a new one very quickly (or in the worst case, both).
And yet, despite the precautions and improvements, a lot of websites are still getting hacked. Why? The main reason is that many, not to say most, users seriously underestimate security as a whole – not only the security of their websites, but the security of their hosting accounts and even the security of their own computers.
And this is an ideal opportunity for hackers to "show off their skills". The hackers keep their "software" up to date - new viruses are developed all the time. And while they keep their applications up to date, many users don't. Once they install an application and start using it, users forget about upgrades and security fixes.
Keeping the above in mind, the next logical question is “What can I do to secure my website?"... Well, I'm glad you asked 🙂
Here are a few things you should always do to keep your website secure:
• Make sure your local computer is safe. For this purpose use reliable updated antivirus software;
• Update regularly your computer's software including its base operating system and any third party software installed.
• Make sure all of your web applications are up-to-date. This includes any modules, components and addons you have added and / or integrated;
• Pick up strong passwords for the different services you use (email, FTP, etc). Never use one and the same passwords for your different online services.
• Avoid having directories with permissions above 755. If your applications require such directories, try to put them outside your webroot (public_html) or place a .htaccess file in them containing "deny from all" to restrict public access to these files.
• Always, and I mean always, back up your website. You should always have a proper backup so that even if someone hacks your site, you can restore its functionality immediately.