The website I administrator has been hacked 8 times since July when we switched to Bluehost. Under our previous Web Hosting company we weren't hacked in 3 years. There have been some minor code modifications and updates, but other than that no changes have been made in the code to warrant this.

On Wednesday I was hacked and my php.ini file was changed so that only one line was in it "safe mode = off". How can someone get to that file? Today, Sunday (just 4 days later) I'm hacked again - this time the php.ini file wasn't changed at all, but the put a new index file in.

How do I secure my website to ward off attacks?

Here's what I've done:
1- php.ini, safe mode=on, and register_globals=off
2- ssh is off
3- Indexing is off under Index Manager
4-.htaccess file says:
"DirectoryIndex index.php index.htm index.html
<Files php.ini>
Order allow,deny
Deny from all
</Files>
<Files fastphp.ini>
Order allow,deny
Deny from all
</Files>
Options All -Indexes"

5- Changed passwords for everything after Wednesdays attack to that's got nothing to do with how he/she is getting in.

I need to script to propograte the php.ini file through a web browser. I called bluehost support and the guy I talked knows it's out there, just didn't it, so...it'll be alot easier to do that than to copy it individually into the folders I need it in.

Does anyone know of a script I can use in my .htaccess file to block anyone from outside the U.S. from accessing our website?

Any help would be appreciated.

If you really want to block anyone from outside the U.S, check out Geo Ip (http://www.google.co.nz/search?q=GEO+IP). Its not guaranateed though, and it doesn't stop people in the U.S from accessing vunerabilities in your website.

You should probably try to improve your script. Are you using a common script or is this a custom built one? Make sure you're sanitising all user input, before it accesses a database, and make sure file uploads are restricted. Check out this security guide (http://php.robm.me.uk/) against your code and see if you can improve it somehow.

Finally you could consider getting your code checked by a professional programmer for vunerabilities.

Most hacking occurs due to someone discovering a vulnerability in a script that you are running. Once that vulnerability is discovered the only way to stop it happening again is to get the code fixed that allowed it in the first place.

If you give hackers even the smallest opening, they will get into your site. If you use software that you did not write, check with that company to see if there have been any recent updates and install them. Also, make your passwords more bullet-proof; mix letters with numbers and other characters whenever possible.

Can you elaborate on the kind of scripts people have on their sites that allow hacking? What, exactly, are they? Are they any software you buy, download and install, e.g., Wordpress, Front Page, a CMS?

Any script out there has the potential for loopholes that allow access through unintended channels. I don't have specific examples but one that I know of from before allowed hackers to swipe valuable server information using form input. All they had to do, when adding their email address, was to append code specific to do this. However, this can be resolved with some clever coding.

Again, your best defense is to stay on top of updates. The Wordpress admin panel will usually show you when updates have become available for you to install; I imagine the same is true for other software. Frontpage? I'm not so sure about that one because I was under the impression that Microsoft no longer supports it.

Our code is handwritten, and I didn't write it. The programmer who did has been going over it, but it looks OK to him. Obviously, we're missing something. So...we'll have alot of code to look through it looks like. Thanks to all for the replies and especially to for the security guide from Silent Collision. I'm going to forward this on to the programmer - it might help him.

Can you elaborate on the kind of scripts people have on their sites that allow hacking? What, exactly, are they? Are they any software you buy, download and install, e.g., Wordpress, Front Page, a CMS?

I know you said that your code is hand written, but in case others might have similar question regarding script vulnerabilities, you might have a look at http://nvd.nist.gov/nvd.cfm. It is the National Vulnerability Database. Just type in the name of the script and see what pops up.
joe

Oh, and a couple other things that I don't think were mentioned... change your password and notify BH of the incidents (not just this user forum).

Change the password for the email account under your contact/billing info. If they can access that email account then they can get your password any time they want.

That, and it's possible they put a backdoor somewhere on your site that they're using to mess with your files, or possibly an ftp account.

The book "Essential PHP Security" by Chris Shiflett has info on many of the different ways your code could be vulnerable and how to code defensively so as to minimise the chance of it containing security holes.

I called Bluehost every time we got hacked. I reset the passwords for the 2nd time this month yesterday, and I did change the password for the admin email account also (thanks for that heads up).

One thing I did find in the Control Panel was ftp access was being allowed to anonymous users. I turned it off. I'm not sure if that will help, but it can't hurt.

The programmer who wrote our code hasn't found anything that could allow anybody into the root folder to overwrite the index.php file on the root. He's been looking at it the last couple of nights.