I know someone with a dedicated server which got hacked into, mysql services were stopped, and the SSH password changed. They managed to upload a malicious C99Shell file into the http root of a website which they must have then used to execute scripts to do the damage.
How can one secure a site to avoid this happening, as far as I know the vulnerabilities are:
1. webforms if posted data is not correctly sanitized (eg need to check for < and > etc).
2. directory permissions
3. open ports not protected by a firewall
If the site allows eg images to be uploaded via a webform then the images folder needs to be chmod 777, how can that security risk best be managed?