I never thought that on my second post I would already have to resort to clickbait in my headings for some article views (joking!)... but as alarmist as I may sound, this year we have seen first hand how easily intruders can take advantage of certain vulnerabilities to cause havoc and affect your brand. It's just a really bad look for your site members, clients and potential clients to find your site hacked. So here I provide some "Christmassy advice" on some things you can do to secure your DNN site if you haven't done so already. This is based on some of the things we have done over the year or so to secure DNN implementations for our clients.
Firstly, why would someone want to hack into your site? Well its not always about trying to get Credit Cards or client information. It can be about exploiting your site as part of black hat SEO to boost rankings for another site (by adding their URL to your site as a hidden cross link) or about adding your server to a botnet for DDOS attacks or simply because they are bored and they can. Most of the time, protecting your site is a case of protecting yourself from the obvious vulnerabilities in the DNN environment and then layering on extra security to build on these fundamentals.
Once again, these are simple tasks you can undertake although it is not the all exhaustive list of security improvements. There are more.
- Download the install the DNN Security Analyser module - It's free and comprehensively analyses your site for some of the common vulnerabilities. It also checks if you've een hacked. Here is a link from 2015 with more information on this module http://www.dnnsoftware.com/community-blog/cid/155214/dnn-security-analyzer. The age of this post tells you that this vulnerability has been around for a while so if you haven't done something, then you really should!
- Change your FTP passwords and close unnecessary FTP accounts - You may probably think that they must have got in via a less obvious way, but FTP can be breached with brute force and also in combination with other vulnerabilities
- Change Host and Admin passwords - DNN Security analyzer will tell you this as well but this is also a must-do when you feel something has been compromised. Locking down Admin access is an important step to take when plugging the leak.
- Remove Wizard and Install files - Ok I keep piggybacking on what the Security analyzer suggests but these files are part of the known vulnerability affecting DNN 7 and older sites
- Look for any evidence of a backdoor e.g. a small ASP or PHP application that hackers may have installed. It may be obvious there in the root directory or may be hidden away in some obscure nested folder within your site files. This is an absolute must-do.
- Turn off public registration - Do this always, unless you have good reasons to have it enabled. By default DNN has public registration enabled and while one thousand DNN users created by bots isn't in itself an intrusion/hack, used in combination with other vulnerabilities hackers can convert a public account into a host account thus having the keys to the mansion
- Install Google Re Captcha (No Captcha) - this again is a great way of keeping your wide array of forms secure and free from troublesome bots
- Upgrade DNN to latest secure version - I put this last because this is easier said than done. Any minor or major upgrade is a must but can sometimes be difficult to do when your site is larger or when you have too much custom code.
These are the basics that I recommend. As you can see in the list, after changing passwords it's important you install the DNN Security Analyzer module as it will serve as good auditing tool to find malicious code in headers and footers, permission issues and standalone applications such as ASP or PHP applications that are really dangerous depending on what they do.
So... while it's quite easy to continue as you are telling yourself that this will not happen to you or thinking your site is not big or importance enough to be targeted, security breaches can happen to any DNN site just as it can happen to any CMS that is not properly secured such as WordPress and Drupal etc. so get busy locking up your site. If you find that you need more information about what things to secure and why it's a good idea then I welcome your feedback or enquiries. While I'm here I have to give a shoutout to Emily Twomey our designer who came up with this pretty cool article logo :)
As you may also know, I am attending the DNN Summit in early 2017 and will no doubt come back with many exciting updates on the current trends in the DNN world. For those that don't know what DNN is I can't believe you sat and read through this entire article on DNN security :) but in short it is a Content Management System that helps you manage your site content and features to ensure you are able to have a professional web presence with vibrant content that is easy to update (I completely came up with that description myself). The DNN Summit is an annual event where DNN 'afficionados' get together and talk geek together. This year it is in Denver and there will be a number of seminars covering a range of DNN related topics. Apart from talking DNN, we will also ski... this year at least.
Just send me any DNN Platform and Evoq related queries that you may have and I can ask them personally. Could you also please fill in this very small form to provide some feedback on this blog post and to let me know if you found this article interesting (or not) and if the humour was to your taste. https://goo.gl/forms/bbbAcXq4ATgQmEsw1
Until next time, I bid you adieu.