Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 434
  • Last Modified:

How to secure website

My client has a website for his business.  He also has a disgruntled employee whose responsibility it was to update the website.  He is now concerned that this ex-employee may try to sabotage his website.  He has asked me to secure it.

I propose changing the login password for the ftp server, which I guess will be done via the organisation which hosts his domain.

Does anyone have any further thoughts on how to achieve this objective?
3 Solutions
Brian GeeCommented:
Change the password for the domain registrar (GoDaddy, NetSol, etc.) account immediately to protect the domain name.

Are the files hosted via an external Web hosting company (it sounds like this may be the case)? If so, login to the Web hosting company account and change the password there. If you think this ex-user uploads info to the root directory of the hosting account's server for your domain, then changing the login password should update the FTP access password as well. While logged into the Web hosting company's Web console, you can change passwords to any other created FTP accounts that you think the ex-emp might have access to as well.  
Sanjay SantokiCommented:

At least you should have to be sure with following things.

1. Domain Control panel password should be changed
2. Hosting control panel & FTP accounts password should be changed
3. if website is dynamic and getting data from database, database credentials should be changed.
4. Request hosting provider to minimize the permissions on web contents. Only website anonymous user and application pool user should have read access. (remove list content or execute if not required)
5. If there any dynamic module in the website secure it. e.g. file uploads, enquiry form etc...

Sanjay Santoki
Secure your mail service.  Password reset requests can come via email.

Change/update contact information at the registrar.  There should be an actual name, address, phone #, and a real email address.  If you put "manager" and a generic email address, then anyone could claim to be that person.  Then could arrange to modify the domain, or transfer ownership.

Change database credentials.  If the site is using SQL, it's possible to modify data even if the FTP and control panel passwords are changed.  You can have SQL logins that aren't related to domain administration, even on GoDaddy.  It's used for connecting to other databases or for developers that don't have authority to manage your domain.
phototropicAuthor Commented:
The client ended up moving his account. The domain is now hosted by a new organisation and all usernames and passwordss have been reset.

Thanks to all who responded with suggestions.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now