Could someone advise on how to prevent a site being hacked?

don't give out your ftp passwords like candy at halloween?

If it is out there, they can get in. Simple as that. The only way to really prevent it is to not put anything on the web.

Now, aside from that: Don't allow html, javascript or flash files to be inserted into your forums. Don't use passwords that you can find in the dictionary, use a mixture of numbers, letters and both upper and lowercase. Don't autosave your usernames, passwords, database names in any application (ftp clients for example).

Be active in your directories. Don't just make a folder on the server, upload some files to it and never look back. Go in, edit the files weekly, daily even. Look for things that you didn't put there.

Ultimatley it all comes down to your web host though. They own the servers, so it is up to them to put all the back door stops on them, firewalls, port watchers, etc.

Unless you run your own server, then that is your job.

Learn as much as you can about security, safety, the latest threats. Learn what they can do, how they can do it, and learn how to stop them. Subscribe to security emails, newsletters and bulletins. Learn about bugs in software, how they are exploited, and if you run that software, get the patches and fixes as soon as possible.

Last... cross your fingers and hope. :)

Thanks to both for your valuable input.


Don't allow html, javascript or flash files to be inserted into your forums.
Blizzard, could you elaborate more on this? I don't quite understand what you meant by that. My site does not have forum, only guestbook. Does it apply as well?

There are so many kind souls like you all who help other souls who are in need of help and yet there exist also so many unkind souls who are out there to damage other people's efforts. So sad!

My site does not have forum, only guestbook. Does it apply as well?


Only if you have a way for users to upload or post HTML code. If you have a way to take those tags out of the posts (similar to the way most Forum software allows you to), you should be in the clear on that.

Hope this helps.

This really isn't an issue (or at least shouldn't be) for your guest book. If you want to post a link to where you got your guest book (like say I wanted to get the files and add one to my site) I can look at it and see what it uses and how, just to double check.

My meaning was for message boards, forums, things like that. As with any forum (and I use DD as an example here) the Admin can allow or disallow attachments to posts. 99% of the boards also allow the Admin to say what can and can not be attached.

So if you try to attach a file here on DD you will see a list of approved attachment types.

Flash (.swf, .fla) shouldn't normally be allowed, as they can have the ability to run from a post, as in they don't need to be on a web page. And using a language very similar to JS, they can include malicious code.

You also have the ability to allow types of code in your forum posts, as you know BBC or bulletin board code is what we all use to make text bold, link images, etc on a board. You can also allow HTML, JavaScript etc and if this is allowed things like:

<a href= "http://mysite.com">Click Here</a> will show up as click here (http://mysite.com) And javascript enabled can, like Flash, run from a post.

All of these options are pretty dangerous, if you don't know what you are doing.

Things to keep in mind if you ever decide to get a forum on your site :)

Hope it helps clear it up a bit.

if you allow someone to put code in your forums and execute a file then you are pretty much screwed

guestbooks dont apply (i dont think)

If you are running your own PHP guestbook, there's plenty of ways to avoid html being parsed. htmlspecialchars(), strip_tags(), etc.