As an online merchant, you are inevitably faced with the necessity to regularly deliver content to your website, which is hosted at the remote server. The most common way of importing your files is by using FTP (File Transfer Protocol). It is absolutely necessary that this process is secure to protect your store information.
To upload images and HTML files to the server, install an FTP client (such as Filezilla, FireFTP, FTP Commander etc.) and create an account with your hosting provider (make sure FTP option is supported).
To start working with the store files, connect to the server via FTP client using your FTP credentials:
- Host: example.com
- Username: Your Store Name
- Password: 12345
FTP host is the domain address of your FTP server, while password and username are provided by your hosting company in the email you received from them upon signup.
Choosing Secure Permission Settings
To ensure that your store data is visible for the site visitors but cannot be modified or used for malicious purposes, it is necessary to set the file/folder permissions correctly. These settings define what each of the 3 typical groups of users (owner, the group, world) can do with a file/folder.
- Owner: The owner of the file/folder.
- Group: The group the owner belongs in. It means, if your hosting account allows you to create several FTP logins, they would belong to the same group.
- World: Your site visitors.
The groups have three activities that can be either allowed or denied. Each activity has its numeric value:
- Read: read or list files in a folder – “4”
- Write: edit/delete/rename a file/folder – “2”.
- Execute: run a script – “1”
Thus, 4+2+1=7. So, if you set file/folder permissions to 777, it would mean every user is able to do anything with the given file/folder. But this should be avoided unless absolutely necessary. The worst outcome of using 777 permissions is that a hacker may be able to upload a devious file or modify a current file to execute code which will allow complete control over your website, including database information and password.
However, if you set the permissions too low, your server won’t be able to access files and it may cause errors. The way to ensure proper work of your site is to use 755 instead of 777 for folders. Thus, only the owner will have the rights to create and delete files in a folder. As to .html .php and other Document Types 644 is the recommended value, which only allows ‘read’ for group and world.
You can use Shopping Cart Diagnostics to perform file/folder permission check to ensure your data security.
Preventing Hackers’ Attacks
One of the most common ways to break into your site is a brute force attack. It is a method of getting hold of the user’s authentication credentials (username and password) to login to FTP Server and modify the website. It is generally performed by automated programs and scripts that use random usernames and passwords or generate combinations of numbers and letters to attempt login.
The secure password policy can be the measure to block brute force attacks:
- Use strong passwords of 8-12 characters which contain uppercase, lowercase, numeric and non-alpha-numeric characters.
- Change your default FTP password.
- Use a different password for every purpose.
- Change passwords on a regular basis.
- Only give your password to people who must have it. Change it when their work is done.
You can also prevent a brute force attack by applying changes to your FTP account settings:
- restrict the number of user login attempts.
- ban a user’s IP after multiple failed login attempts.
- check log files for suspicious login attempts
Shopping Cart Diagnostics will help you test your FTP settings and prevent further server attacks to make sure your store is safe and sound at all times.
NOTE: For Shopping Cart Diagnostics to perform the above mentioned security testing, as well as many other checks, it is necessary to set up a connection bridge with your store using your FTP details. The Bridge is the open coded script that performs internal server and shopping cart checks.It gathers your store data required for analysis and locating errors. The connection bridge cannot and in no way will alter your account settings or obtain store confidential data.
Anyway, you can change your FTP password right after the check is completed and set lower file/folder permissions to limit any unauthorised access to your server.