When I first read about Gawker Media being hacked it was a bit weird to be honest, just because its a network of blogs that bring in thousands of dollars in a month, yet security of theirs was lacking. You can have best network infrastructure and firewalls all over the place but if you do some stupid common things , you are wasting your money.
I am not saying that MWD is secured, nothing that contains WAN IP address is secured enough for somebody to breach, but there are things you can do to protect your sensitive data or prevent attacker to get any further.
1. When it comes to web server I will always argue to have Linux server over Windows just because it’s more secured, harder to hack and you can update things without restarting server.
2. Never use accounts that password is password (duh)
3. Keep your personal information at home not on WWW especially on server that is available to public, if files do need to be shared, make sure they are encrypted and password protected.
3. Change all login passwords at least once every two months but once a month is even better. Use special characters and numbers, never use full words for password like: technology, tarantula etc…
4. If you run WordPress, make sure its updated to the latest version, if you see that update is available, backup your files and database and upgrade it that same day. Don’t wait for more convenient time, do it right away, it takes only 10 minutes to do that all. Use plugins like WordPress Firewall, WP-Secure to prevent script kiddies to hack your WP. If you want to get bit advanced, run database and files backup every day, ftp files to your local hard drive, encrypt the whole file on local hard drive and delete it from the web server.
5. Don’t ever leave password in clear text on your server, this was one of the biggest mistakes by Gawker, they had file on server that contained personal account info and more with clear text passwords.
6. If you run Linux server, never use Root user to run things, create new users with enough permissions to run your web server, apache-tomcat-wordpress-php-mysql. Make sure that sensitive folders can be accessed only from your IP range most likely your ISP (internet service provider) IP will never change the first two octets for example 92.11.x.x and if they do, they don’t change it very often.
7. All password you create on various websites should be different, get creative. For example if your usual password is what3v3r use that password and add first letter of website at the beginning or end. So if I go to Gawker.com my password would be Gwhat3v3r or what3verG
8. Never use your email password on other websites, because if your password is same, and that “other” website get’s hacked, hacker most likely is going to try to compromise your email as well with the password you provided.
9. If you have money, use an RSA key for your webserver: RSA key is like addition to your password that changes every 60 seconds.
10. File permission is very crucial , don’t let everyone view your sub folders and files not even Google
Well those are just 10 things that will keep you safe out of 100+. I could go on and on but for now I think it’s enough. If you have questions, let me know in the comment section below.