Can someone here tell me the steps I should take to protect a website from being hacked or defaced (or point me to some URL or file that has this info?)

I'm aware of the conventional wisdom about protecting a site--don't use an obvious password for accessing the site via FTP, don't let others know about the password, use passwords as appropriate to protect individual pages on the site, and so on.

However, it looks to me like sites are still hijacked and defaced, even tho the owners or webmasters take appropriate precautions. In some recent cases, whole files of account numbers and passwords and so on have been hijacked or downloaded.

In general terms, how are sites hacked, and can hackers/defacers gain access to the contents of a page, if they don't know the password?

Also, suppose I put a non-password-protected page up on a site, say www.mysite.com/pagewxxx.htm, and there are no references to it anywhere else. Is there any way people, or web crawlers, can learn the name of this page?

Thanks.

The three ways that I know of that sites can be hacked/defaced are:
a) Guess FTP/SSH/Control Panel etc passwords
b) Exploits in the server software
c) Vulnerable scripts

Those are in order of 'determination' needed to use them. Guessing the FTP password can be very easy, scanning the webserver for exploits can be done by software; finding tricks like SQL injection normally takes time and determination.

There isn't a way, that I know of, to find a file with no links to it, although the filename can be guessed, and there is definitely software dedicated to trying many combinations, in order to find hidden files.

Regarding software designed to guess a web page name, it seems to me you'd have to be incredibly determined, and I suppose a little nutty, to want to find some "hidden" page--considering the number of individual tries you'd have to make.

Specifically, for a page with a name that was, say, 8 characters long, you'd have to try 3 X 36**8 names:

the first character of the name could be any of 10 numbers or 26 letters (36) (actuallly, even more, considering special chars); same with the second letter and so on--36 to the 8th power, which is an enormous number.

THEN, there are 3 possibilities for each of those: the page could be called just xxx, or xxx.htm, or xxx.html. So I think it's just not realistic to think that even a brute-force attack would work.

As to cracking the password for FTP, I can see how that would be somewhat easier to figure out. Still, my guess--having worked in IT environments--is that those efforts occur mostly as a result of loose security, e.g. a password posted where people can find it.

As to SQL scripts, I've read enough to know that they *are* indeed vulnerable.

A dictionary attack is much faster, since the name is likely to at least feature a word. A totally randomly named file would, it's true, be very, very difficult to find.

I am the webmaster for 3 (very simple) sites. On these sites most of the pages do not have straightforward names. On 1 site, for expl, there is a page called "exper9.html". It has no links to it, and I doubt a dict. attack would work on this one. Same site has a page called "Thankyou.html", which will also be hard to find.

Similarly, on another site, my old habits as a programmer influenced me, and I have some info on them that I might want to access on the road, and I use names like "glassesxxx"--again, not found in any dictionary.

The password for any site will almost certainly be found somewhere on an Admin site or folder maintained by the hosting company. I wonder how many cases of hijacking etc occur as a result of crackers somehow obtaining access to that folder--either as a result of stupidity or laziness by the hosting company programmers, or by some insider stealing that file.

In terms of finding files. Any half-way decent attempt at this would try various words/abbreviations in combinations with numbers. Which is a more likely file name on the web? exper9.html or 2mzs3f6h.html ? Not that something like this is very common...

FTP is an obvious threat to any website security. However, it's much like the door of a warehouse. Obviously, this is something that receives a bunch of attention, and will be secure. Be smart with your FTP username and password. I believe one can also restrict FTP by the user's IP address. As in, only a user at this IP address, with the correct username/password can connect. Of course, a door can always be blown off.

Serverside scripts seem to be the most vulnerable. An attack through a script won't necessarily be hugely damaging, but can be costly and/or time-consuming to fix. You're best bet is to be smart while programming. Obviously, the first rule of dynamic websites is to always thoroughly validate all user input. Anything from a variable passed through the uri, to all form input, to cookies, ect. A good script must thoroughly debug this info. And of course, before making a script live, test and try everyway you can to crack it. Even if you're not good at cracking software, you'll clear out many common issues.

But there's no need to get paranoid. Evaluate your risks. What real danger are you at for an attack, and what type of attack is the most likely? Prepare for that. Obviously, high-traffic sites like microsoft.com and neopets.com, along with ecommerce sites like amazon.com and ebay.com have many, many more security concerns. E-commerce opens up a whole new field of security concerns. But in general, as was said, the types of attack to look out for:

(1)Admin passwords
(2)FTP
(3)Malicious Scripts
(4)Server Software Holes

I agree that server security holes are probably a major weakness.

Also, I've seen in the past how, when the computers of big businesses were compromised, and management was asked (by reporters) how it could happen, the response was "Gee, we're just totally baffled, we can;'t understand it at all"--when to me, as someone who's worked in big IT shops and knows what goes on there--the *true* answer was obvious: "DUH! I meant to change the password that was on the machine when it was shipped, but I remember now that I never got around to it! But of course I'm not gonna admit that, because I'll be out of a job if I do."

So my suspicion is that in some cases of web sites being attacked or defaced, the management of those hosting companies have not exercised good security. IOW, that there's a good likelihood that it's an inside job.

In an e-commerce site where web server and client security is vital to their survival, I doubt that a simple "I forgot to change the password" issue surfaces. I find it more likely that holes have been found in the server and/or inside help. But either way, you aren't likely to be targeted for such an attack, IMO, unless you are a very high-traffic site.

Bottom line is you can't. There's no such thing as an impenetrable server. Well....... there is....... but the only 100% secure server is one that listens on no ports and refuses to initiate any processes.

I had a little read on the FTP spec before. From what I've seen, the passive connection type does not seem very safe at all.