When you upload content via FTP you use your personally selected username and password combination. The username you selected also becomes the owner of the files you upload. Similarly, when you attempt to delete files uploaded through an application like WordPress, since they are not owned by your account, you are unable to delete them. The apache user has control over the files.

Although you could get the root user to change the ownership or permissions of the files to allow your account access, this requires creating a support ticket every time you run into the problem. Rather than fixing the problem reactively, we suggest fixing it proactively; ensure that files uploaded through WordPress are already owned by your personal user account rather than apache.

How do you do this? FastCGI!

Within Plesk under Web Hosting Settings, there is an option to run PHP through FastCGI. By changing this setting from Apache Module to FastCGI, you are changing the user that PHP files are accessed with.

Since all of your PHP files will be executed by your own personal username, all files uploaded through your PHP application will also be owned by your user account. No more apache account in the mix and no more non-deletable files!

One additional benefit is that your files are not owned by the apache user any longer. You might remember that it was beneficial, for security reasons, to have your files not writable by users other than apache, but that only applies when you are forced to upload them under that user account. Since the apache user would be the same for all files uploaded across all websites hosted on the same server, if that account were hacked, then the hacker would have access to all files created by it (if they knew where to look). Now that your files are being uploaded under your personal user account, no other website can affect the security of your own files (assuming permissions are also set appropriately – ie: no ’777′).

If you have any questions about this process or believe some of information provided here could be clearer, please contact us with your suggestions – we would love to hear from you!

How and why do websites get defaced, hacked, or corrupted?

Most sites are compromised by known vulnerabilities in outdated web-based scripts and applications. Simply put, this means if you run outdated versions of popular software such as message boards, blogging software, or content management systems, your website could be at risk. Other ways a website is commonly compromised is due to insecure or stolen passwords and incorrect file permissions.

Why would anyone want to hack my website? I don’t store any personal or financial information on my site so I shouldn’t worry about this right? Many people feel that because they think no one wants to compromise their website they don’t need to worry about its security. Stop it.

Although they may not want any of the information on your site, most of the time your site will be used to spread viruses, spyware, or deceive your visitors into going to sites with them. Most compromised sites we see have malicious code injected into the files in order to do just this.

Here are a few things you can do today to make sure your website is better protected.

Start locally

Make sure your personal computer is secure. If you use an FTP program to upload content to your website, chances are that you have the username and password saved within it. Depending on how that program stores this data it is possible to have that info stolen if your computer has spyware or a virus.

We recommend installing a virus scanner and regularly scanning for spyware along with being more cautious of where you are surfing online.

Update and patch your third-party applications

Most website security issues can be avoided by being proactive with updates and security fixes issued by the authors of your applications.

Many popular applications now have a one-click update that takes less than 30 seconds to perform. It is recommend that you backup your data before upgrading which can usually be done through your Control Panel.

If you stop using an application make sure you remove it. If you’ve switched from WordPress to Joomla for your content management, make sure you remove the WordPress installation as it can be forgotten about and left outdated. Even though you may not be using it, it can still be accessed.

Remember that updates, patches, and new releases are released for a reason. Staying on top of these updates may seem like an inconvenience at the time, but it will save you from a lot of headaches and issues in the long run.

Checking file permissions

Allowing everyone to read, write, and execute files on your website is a huge security issue. In a web-based environment you typically will want a “755″ permission setting, or full access to the file owner, and only read/execute access for everyone else.

Some applications will ask you to set a permission to “777″ or full access to everyone. Make sure you are running the most up-to-date version of this application before installing. Also, you may want to try it with a 755 as some hosting environments will for this.

Secure your login areas

It is best to access the administration area of any application over SSL (https://). This can be done by making sure it is placed in a ssl-based directory.

In addition to this, it is possible to limit the admin directory to only specific IP addresses. This can be done by placing the following information into a .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName AdminAreaAuth
AuthType Basic
order deny,allow
deny from all
# allow home IP address
allow from 99.x.x.x
# allow work IP address
allow from 142.x.x.x
# allow vacation home IP address
allow from 24.x.x.x

For example, if you wanted to secure the admin area of your WordPress installation, you would place this .htaccess file in your /wp-admin/ directory. It will deny all connections that are not made from one of those predefined IP addresses.

—
Hope this helps. Interested in hearing more on a specific topic? Let us know!