Best Practices

Whenever you install or upgrade a web application, you must delete old files. For example, if you are running a forum and want to upgrade it to its latest version, the best procedure is to back up the old files and install the new files. (Here we are talking about the application files, such as PHP files, not your images and other files that you must maintain installed. You will also need to keep the old configuration file, i.e., config.php or similar, otherwise you will not be able to perform the upgrade.)

Oftentimes, the new version does not come with a particular file anymore, and you end up with an unused, outdated file inside your webserver. Later on, if a security flaw that affects the version of your old file is discovered, a hacker may exploit this particular file. And you will think your website is secure, as you are running a later version of the application, not the version with the security flaw.

Speaking of which, you should always keep all programs to their latest versions, especially if you manage your own servers. You should keep a spreadsheet with all programs you have installed, their versions, and their websites, and you should check at least once a week to see if there are new versions available.

Some developers allow you to subscribe to an announcement list, so you will receive an email whenever a new version is released. Some applications, such as WordPress, allow you to check for newer versions and update themselves from inside their control panel.

All tips in the world are not sufficient if you keep a login and password that are too obvious, or if you use the same login and password for all services at your website and/or server. The password must be different from the login, and you should not use a word that exists for it (i.e., a dictionary word), as there is a very common attack method called “dictionary attack,” where the hacker uses a program that automatically tries all words available in a dictionary as password. Passwords should be created with a combination of upper case letters, lower case letters, numbers, special symbols, and use at least eight characters.

Many people have trouble creating passwords based on these directions. A simple yet powerful tip is to create a password based on an existing word and then replace certain letters by symbols or numbers: “!” replaces “i,” “3” replaces “e,” “4” replaces  “a,” “0” replaces “0” and so on. For example, assuming that you want to create a password based on the word “killerwasp,”it could be written as “K1ll3rW4sp.” It is very hard to break this password using standard hacking software and, at the same time, it is relatively easy to be memorized using the suggested method.

And don’t forget that you should not write your passwords on Post-It nor leave them near your computer, as anyone who has access to your workplace can easily copy them.

Gabriel Torres is a Brazilian best-selling ICT expert, with 24 books published. He started his online career in 1996, when he launched Clube do Hardware, which is one of the oldest and largest websites about technology in Brazil. He created Hardware Secrets in 1999 to expand his knowledge outside his home country.