On January 28th 2014 we experienced a prolonged outage at our Belgium Datacenter. We were able to isolated the cause, and are now reviewing our internal network settings and assets to ensure that we don’t remain vulnerable to this sort of malicious activity in the future.
This however is a good point to encourage our client’s to make sure that their software on their servers is secure. We have noticed an increased rate of sites becoming infected in the past six months. In every case it is clients running outdated software that is vulnerable. So here are some important steps to keeping your VPS and your server software secure.
- It is very important to keep your software up to date. This includes not only Magento, WordPress, or other packages, but importantly the plugins and modules that are installed in them. Good module developers will always release updates when vulnerabilities are found, so its important to keep all of your modules up to date.
- Always, always use strong passwords throughout your installation. FTP, SSH, MySQL, Sofware administration, Control Panel, Mail. Make sure all passwords are strong and kept private and changed appropriately frequently.
- Make sure your FTP file permissions settings are set correctly. 755 for directories 644 for files.
- Block vulnerable files and directories from web access, we frequently find clients with phpinfo files and magmi interface open for the world. This gives anybody with malicious intent far too much information about your server setting and database. The same should be said for release notes from your installs. Please delete them as it again gives hackers too much information on how they might exploit your system.