Blog: Process-Modeling.com - Rick Geneva
Recently the few hours I have available to write on this blog have been consumed by upgrading my security. I admit, when I started this site I didn’t worry much about security and used mostly default settings. So I guess you can say that I deserved it. I’m just trying to do my part in making the world a more efficient place through better process modeling. I suppose that makes me naive to the fact that hackers will try anything just for the kick of doing it. There doesn’t seem to be any logic (that I can understand) on why you would hijack a website. It seems like a lot of effort just to get a few page views of some political propaganda that I don’t understand (or care to).
I hope I didn’t lose any of my readers by moving the site to the new URL. This was necessary because I have to separate my personal site from my processmodeling.info site. www.process-modeling.com will redirect to processmodeling.info. So this is the official new home. Soon I’ll be back to writing again.
To others who blog, here’s what I’ve learned:
- PHP is terribly insecure. If you use it, make sure it’s up to date. Many popular packages today are written in PHP. When a vulnerability is found, you need to update your software as soon as possible.
- One password isn’t enough. Don’t rely on any sort of default security. Instead make it a complex maze of mixed types of security so that access to one area will not get far in the rest of the site. Yes, this is hard to manage, but so is rebuilding your precious website after some jerk (with obviously more time on his hands than you have) hacks you.
- Learn every Apache server trick you can, and use it. I’m not going to give any specifics here (for security reasons). But just remember that your hosting company doesn’t provide anything but hosting. Security is your responsibility. If you get a good hosting company (I’m fortunate to have one) they can give you good, sound advice.
- Host only what you need, and nothing extra. Anonymous directories will be eventually be found , and exploited. Get another account (it’s cheap) for anything not directly related to the site theme. Put extra passwords on things that you don’t think are very important. This is where the hackers look.
- Everyone knows not to use their kids’ names or their pet names as a password (hopefully). I thought my passwords were pretty good. But then after some research I found out how easy it is to crack a typical password. But there’s hope. On an keyboard there are over 100 possible characters. Use a combination of the full range, and at least 10 characters. Again, a terrible pain to remember, but it’s your choice. Either protect it, or you’ll end up inadvertently helping to spread global terrorism, violence, or some quite offensive non-family oriented material.