1.ROOT USER

First and biggest mistake of all is to run your site or server like ROOT user.Root user should be used only locally and for site or sites there should be made other user that doesn't have any more permissions than its needed to do jobs on site.Trust me u don't need to be root user to be able to manage 90% things u need on the server or on the site.Lets take for example that u own a shared hosting and user is root.Now lets assume that there is sql injection found on one of the sites.Attacker will be able to read all he want from any database on the server and in some cases even upload web shell since it have full read/write permissions.also he can read any file on your server including /etc/passwd which will give him very useful information what users are owner of other sites on server.SO REMEMBER DON'T USE ROOT FOR IT

2.FULL DISCLOSURE ERROR MESSAGES

This is like open book for any attacker.For example error

„mysql fetch array err in /home/user/public_html/products.php on line 21“

This kind of error gives out allot of useful information.First it it gave full disclosure path.U are probably asking what can someone do with that.But believe me when i say that information in hands of someone who know what they are doing can harm your server more than u can imagine combined with other things or not in some cases.Second information attacker gain from error like this is that u are running mysql server.Now all that info combined will give him another useful information

/home/user/public_html/products.php path like that +mysql means that 90% u are using some UNIX server running Apache.There is more info that u can gain from this error but i won't mention all here since u probably got the point already .This is only semi informational error some people leave errors with even more information available.ADVICE. Repair your errors with „else die“ or some similar thing,or make custom error pages that doesn't reveal that much information for example one that display just word „error“ or instead of displaying error just redirect u to index page without displaying anything .

3.WEAK,DEFAULT,COMMONLY USED USERNAMES AND PASSWORDS


Some people are lazy to get some normal passwords for using because they are scare that they will forget them,but its better to write them down somewhere than to use simple combination that everyone know like admin/admin and similar,also never leave default user password after installing some script or software.Reason for that is if someone want to hack your site all he need to do it to download the script from the official site if free or find it on some warez forum if not and install it on his own machine to get your username and password.ADVICE:Make sure u use your own created passwords instead of default ones and common dictionary passwords

4.OLD AND OUTDATED SOFTWARE

Regardless if u are owner of windows ,Linux server or u just own website or blog make sure its constantly updated.Update your kernel version, update your website script,blog script and all plugins u have there.For example of the attack scenario imagine that u own oscommerce site which is outdated.Attacker,regardless of his knowledge in oscommerce or anything about it can simply go to websites provided for webmasters and server owners to look for new vulnerabilities discovered and patch their scripts like milw0rm and other similar sites and search for your software and use the posted information against you.Example is oscommerce source disclosure vulnerability on version 2.2 which will give him full information about your database including hostname,username and password required to connect on it

5.ENABLED FUNCTIONS AND SAFE MODE

For example if u own a Linux server and someone manage to get web shell on it Make sure u have safe mod ON,and disabled all functions that are not needed for site to work normally.Also make sure u have some anti hack module installed like mod2 security for example or something similar.If u are just website owner u can do those modifications with .htaccess file without affecting any other site on server


Conclusion:Its better to take 5 minutes more of the time u spend on site design or take 5 minutes more of your free time to make sure that security issues has been taken care.Else there will come a day for u to re do it form the start just because someone was bored and decided to destroy your site