How do I make my website secure.

thank you . another question so i don`t open another thread. how can i make my site secure. So It doesn`t get hacked easily

Unplug the server hosting the site and carry it around with you 24/7.

that wasn`t a cool answear . I mean safety things that i can do to avoid being hacked. Now seriously please.

Sorry, you mistook me for kidding. heh There's no sure-fire way to make a site hack-proof.

If you're looking for tips, then you may want to read up on site security and come back to us with direct questions. As of right now, your question is a lot like asking how computers work - there are TONS of different combinations and multiple levels of complexity to every one. There really is no short answer, nor would it be fair to ask us to dig through your site looking for all the potential exploits.

Am with you Master UPsGuy on this...

You can make it almost impossible though to be hacked. tiffix, UPSguy are incorrect.Your site can be secured, and if done properly will be virtually unhackable. Most hacks are done by "Skids" anyways, and these are the ones you need to mostly worry about.

Disable all FTP access when not actively using it (in my case I dont ever use FTP)

Use .htaccess for Options -ALL files directive, in any directory where a user can upload (even avatars/images) use Options- ExecCGI

Sanitize all User input fields (search, login, address, comments, etc)

Change all escape strings to mysql real escape, restrict registration to be a certain minimum limit, and charactor use:



All passwords saved in the DB as hashes, should use salts, and your own key that is not in the db- this way even if your db is compromised, and they gain access to the User passwords, they will never break them. regular MD5 hashed passwords can be broken very easily, so never store unhashed/unsalted passwords, and never store the salt/pepper in the database itself. and most importantly, NEVER rehash a hash.

In my case for my site Havoc Arcade, I feel it is "unhackable", and I also use password hashes that are double salted (salt and pepper) SHA1.
salts are alphpa-numeric, symbol, spacing, upper/lower case and completely random in excess of 20 char,and the hashes exist in no rainbow table due to the salt (salt/pepper).

Never use the same password twice, and make sure your passwords for login/admin exceed 20 char, and follow the same principal as the "salts"...it will be all but impossible to "Brute Force" such a random 20+ password. You can also use authentication for the admin, in that way even if an admin access password is broken, they are resticted to the same User priviledges unless they authenticate a second different equally random password (this is ideal if your site has an admin File Manager function).


Also make sure your pages are not suceptable to RFI (remote file inclusion attacks), and I almost forgot, hash your site's cookies to salt and pepper too.

This is how to secure your site.

Now you have to secure your PC, Get a good antivirus/antimaware app. Personally I use NOD32. If you harden your site, but leave your pc vulnerable, you will get hacked. All they need is a good tojan loader, or keylogger.

You can employ someone to carry out ethical hacking on your system. It is not hard to get hacked, if turn on to be soft target, though you can mitigate losses by creating RAID system, traffic streaming, etc.

First, i'm still new in web building. please don't say my questions are easy or stupid.
Said to disable FTP. To use FTP, we have to activate it first in cpanel, right? i found in my cPanel already give me FTP address. to access it, of course password needed. Can this thing also endanger my website?

What is Options- ExexCGI for? and do we need to upload it in any/all our folders?

My website is pure html. many times get hacked (injected file html). And just now someone (I think) succeed to access my directory coz not only changing the index pages contents (in my subdomain and all my domains), they also made new index pages in htm html and php.
What terrifies me is they deleted the content of my htaccess in main directory (public_html)
no pages are deleted. seems they can only modify and add new files.
but changing htaccess???!!!!
HELP! shall i change my website to be php based? (i heard that in every php file, we can insert script to prevent hackers)

Typically by default, when a Cpanel account is setup, FTP will be working as well. Usually your system administrator, who is probably your webhost would only be the one who would be able to disable FTP on your server. So in this is nothing you would have control of mico.

If your website uses no programming, there is no way it could have got hacked through your actual website files. It would have been hacked some other method, such as your host not keeping your server up to date and someone breaking in through programs that had security holes, or if you are using extremely easy passwords and someone guessed your credentials.

The ExecCGI option allows you to execute CGI, such as perl scripts on your website, given that your web host allows you to use that directive.

If you really feel someone has broke into your web server, I would contact your web host immediately and have them look into things to help you figure out what is going on.

I use complicated characters for password. And I copy-paste from random texts I type on notepad to login on cPanel.

Program, you mean like plugins (I don't use any) or the default/added programs on cPanel (by webhost) ?


REALLY??! You wanna help REALLY??! I use local webhost anyway.. Do you think it's alright?

When I say programs/software, I am referring to what your webhost has installed and has control over. You would most likely not have control over this sort of stuff. For example, the FTP daemon on the server is something you would not be able to disable, stop, start, or restart. That is something your webhost has access to.

It doesn't matter if your webhost is a local company, or a company from all around the world. Your website is public so it could be attacked from anywhere. Your webhost should have log files that you would not have access to which would help them determine if someone else was logging in under your account, or if they are getting in through another user on the server, or numerous other possibilities. I would contact them as they have access to be able to look into things further for you. Unfortunately you most likely don't have access, so its all speculation on what could be going on with your website. I would call or email them and tell them your situation and see what their thoughts are.

I've contacted them and their reply was that it must be caused by my bad password, vulnerable plugin, or insecure PC.

I'm very careful in login and input pwd (with method I said at prev.post)
I don't use plugins.
I activate internet security (KIS)

I know there's a way to hack website via typing script at the address bar.
So I thought this is how they hack mine. Means, maybe it's my bad for being vulnerable.
Based on this, I can't debate by saying to them that possibly the server been attacked..

I understand what you are saying, but in my opinion they are just using that to their advantage and saying its your fault. If you are very good with making hard passwords, and your PC isn't hacked itself, then the problem more than likely lies with your webhost. There are many hosting companies out there who actually do have hacked servers and they have no idea what is going on, either due to the fact they aren't skilled enough to be running a hosting company, or they are just not doing all of the proactive measures that should be taking place to protect their servers. I am not saying this is necessary the case with your hosting company, but the fact they didn't even look in the logs to tell you if someone else has accessed your website communicates to me they are not trying very hard. They could specifically tell you if they see evidence of someone else logging into your account, which would help you figure out if someone has your credentials. They aren't even being specific enough to tell you that though.

My suggestion to you, is to think about finding another web host. If all your website has is regular HTML files and/or CSS, then you cannot be hacked via those methods. You could be hacked if your webhost itself is not taking the proper measures to protect their servers, but it would have nothing to do with how you are making your HTML files or CSS files. It would be their fault, not yours.



If this was the case, then we would all be in trouble. While its possible to carefully construct queries in the address bar to take advantage of vulnerable web based scripts using PHP, ASP, PERL, or any other scripting language, you have mentioned you are not using any programs or scripts on your website. You are just using HTML and CSS right? So if that is the case there is no way they can break into your website via carefully constructing queries. If you are hacked its most likely because either they have your login credentials, or your web host itself is hacked (which is not your fault then).

If someone else has access to your personal computer, or your personal computer is hacked and has a keylogger or some other type of malware, then that could be one way they could pull your passwords off of your computer. You may want to do a full check of your computer. A good piece of software to check your computer is MalwareBytes. The free version is usually sufficient for checking.

Still though, there is not really much evidence here which is saying you are at fault. I would bet the more likely scenario is that your web host is at fault. You had mentioned that new files with php extensions were showing up in your website. This is indicative that another user on your shared web server is using programs/scripts which have a vulnerability, and it is affecting the rest of the users on the server. Your web host should be able to confirm this, yet they do not seem to really care to take the time. I bet they would find these random php files throughout the other user directories on their server, not just your account, and that right there would confirm that they have a problem that is outside of your control.

Oh, so that trick is for web based scripts..

Thank you very muuuch for the help and advice bigwebmaster!
I am very appreciate it.

I will confirm this to my webhost. I hope they can cooperate.
(or else..)

If you are concerned about weak passwords you might want to consider adding dynamic passwords or a second factor authentication to your website. You can add ShieldPass access cards or VeriSign electronic dongles which will generate a different password every time you login so hackers cant steal your password.