It’s like the saying..

A ounce of prevention is worth a pound of cure

This was the saying generally for people to stay healthy by avoiding things that make you sick, be it lifestyle and behaviour or what you put into your body. This saying really applies to security as well.

I’m currently a web developer and server administrator, so I have a background of security. I’ve seen things when they’ve gone ‘bad’. I’ve also seen the damage that can be done to your business and way of life when a security breach directly affects you. To say a ounce of prevention is worth a pound of cure really applies to internet security. This topic can fill a book, but I’ll try to keep it short and cover some basic points, from a affiliate marketer point of view.

Platforms
It seems like most affiliate marketers are using various application platforms like WordPress, Drupal or BANS, etc, etc. These tools are great. They’re free (open source) and are easy to install and configure. The problem is that since it is open source any one can download a version and reverse engineer or scour the code for potential security holes and vulnerabilities. From there, a attacker would only need to Google a specific ‘footprint’ to find the same application and version to attack.

The damage this can cause is catastrophic. A attacker could gain priviledge of the entire server and have access to all of your sites. If you’re running dedicated servers, this is even more of a threat, since you would be managing the server and the attacker would recruit this server as a potential tool in his bot army. If you’re on a shared environment, the hosting facility will most likely shut down your site and stop services for you until you correct the problem.

Normally when exploits are discovered the author of the application (WordPress, etc) would be notified, and their developers would create a fix and release a update to correct this issue, usually in a extremely timely manner. Plugins are outside of the WordPress relm, so I would recommend plugins that show ‘activity’ and a community or development team that actively works on it. Stale plugins could be a security vulnerability.

The ounce of cure in this case… UPDATE YOUR WORDPRESS PLATFORM AND PLUGINS! It is so simple and easy.

I know I’m focusing on WordPress in this example, but this would be applied to any 3rd party software application or platform.

Services
If you’re running a dedicated server you must stay on top of your service updates, specifically PHP, Apache, MySQL and SSH. Just like in Platforms, these are all open source products and have potential bugs or exploits that are discovered at times. Either work with your hosting provider or perform the updates themselves. Depending on your flavor of Linux there are various ways to perform these updates.

I’m only mentioning Linux, Apache, MySQL, PHP (LAMP) since you don’t see a lot of Windows based hosting at affordable costs. Plus.. I hate talking about Windows.

ACL (Access Control Lists)
This is something that is not mentioned often out there, but I really feel strong about. Using firewalls (iptables, etc) to manage access to your dedicated server is important. Limit SSH access to certain IPs (assuming you have a static IP at your home or office.. which you should). Along with SSH access to the servers, I also like to limit access to administrative areas and control panels. No reason these should be open to the world. This includes my wp-admin access as well.

Hardening Services
There are certain items you can do to ‘harden’ services. Basically making PHP harder to hack or limiting access to the system with a chroot, etc. Along with that you can control error messages (don’t display error messages) to prevent information disclosure. Usually attacks start with information gathering (finding versions, file path info, etc).

Passwords
Work on your passwords. Make them difficult. Think in pass phrases and include alpha numeric characters. DO NOT USE THE SAME PASSWORD FOR EVERYTHING! The more important the information, make the passwords more difficult. For instance, I don’t want people guessing my domain registrar passwords, etc. Think defensively with passwords, watch out for potential insecure Twitter applications, etc. 75% of people use the same password in other areas, so your Twitter password, could be quite valuable if you’re one of the 75%.

Okay, so those are a few items (many more actually while I’m thinking about it), but I wanted to talk about some worst case scenarios.

I had a client that was working on affiliate marketing. He was primarily working with AdSense and creating review and community sites (forums, etc) and was doing quite well. Some how a hacker was able to get is FTP password for the site and infiltrate his host. He had a dedicated server and was then locked out of all of his sites. My client also used the same password for his registrar and the hacker was able to take control of his domains.  This was when I was called in. The hacker tried to ransom the sites asking for $100K to return control of all his domains (over 100).

My client was able to start piecing over some of the domains, and even had the FBI involved. Unfortunately, the hacker was in Asia and little could be done. About 3 months later the client was able to get his domains back, but had to create a new hosting solution. After the client recovered the domains, the hacker began a very brutal DOS (Denial of Service) attack on his domains in a last stand type move, but the damage was severely done.

While the hacker had control of the domains, he was PMing invidivduals in the forums and causing mass havoc and confusion. Lots of members left, not to mention that the hacker probably stole all of there user credentials and emails. My client was also ranking very high in Google, and with content changes (pornographic and exploit software) he lost rank and had to start it up again. He also lost his AdSense account and had to re-apply and explain the situation. It was a major blow to his finances but he was able to recover  after about 6 months.

So the lesson? If he worked on his password management, this would have been avoided. A ounce of prevention, is worth a pound of cure.. or at least 6 months of cure.