Is Your Website a Health Check Failure
 Under the Hood of Good Web Design
 How User Friendly is Your Website ?
 User Friendly Web Page Sales
 Making a Website User-Friendly
 Recommendations After Website Audit
 Optimizing After a Website Audit
 Example Website Audit Findings
 Website Auditing Conflicts

Optimizers Club
Voted 20 (90%) of
Our Page Audits in
Just One Week as

Recommended to

Website Auditors Improving Your Website

Web Design
Checklist Rating
This Site 8.7

Good Web Design Feed  Good Web Design

Norton Safe Web Passed


400 Reasons For
A Website Security Check

A website security check reduces the risk of your website being hijacked or abused by anyone for their own amusement, malicious intent or profit.

Just to give you an idea of the huge interest there is in hacking websites, a search done on Google revealed over 2 million searches every month for website hacking. And these are just searches by English speakers and don’t include people with other languages.

Look Inside Book @ Amazon Bookstore

How to hack … 1,830,000
Web-mail hack / hacking … 130,000
Hack this site … 110,000
Website hack / hacking … 82,000
Download hacking software … 74,000
How to hack a website … 27,100
PHP hack/hacking … 26,000
Joomla hack/hacking … 16,700
Wordpress hack / hacking … 16,400
Hacking sites … 14,800
MySQL hack / hacking … 3,900
Drupal hack / hacking … 2,000

Many of these people are using their newly found knowledge and website security checker software, to scan websites everyday to find ways they can hack into a website.

Download PDF Book PreviewAnd if you think this is not happening to your website, try looking at your web stats for the 404 page not found entries.

If you find a lot of errors for files and file locations that don’t exist on your website you will know your site is being probed for website security weaknesses that could be exploited. And if you don’t find any, don’t assume you’re in the clear, the hackers may just not have found your website yet.

Without a daily website security check for hacking activity you would not know your website is being probed and worse still, if your site does get hacked you may not even know it.

Hackers who do it for fun usually want to show off by replacing your website content with their own so you could discover this unless you website has many pages, in which case you may not. But those who want to use your site for illegal purposes or for profit don’t want to be discovered. So, you may not be aware your website has been hacked until it’s too late.

More Help & Support

If you need more help with your online business I have produced a 3.5 hour video course, the details of which you will find under the Help & Support section of this website.

The video course is recently released and to encourage you to give it a try I'm offering an EARLYBIRD discount which enables you to get the course for just $22, that's 50% off the normal price. The course also comes with a 30 day money back guarantee.

Click on Help & Support for more details about this video course.

NOT doing a website security check could cost you dearly

1. A hacker could install malware on your website with the purpose of infecting your visitor’s browser when they visit your website or installing malicious software on your site visitors computer. If Google detects your site has malware (and they do check for it) this can get a visible warning flag assigned by Google to your website.

Google malware warning

This warning appears in Google’s search results next to your listings telling potential visitors your site may harm their computer. Sometimes Google will completely remove a website from their index and it could take weeks to get it reinstated. In addition it could take many more weeks to get back to anywhere near previously held search rankings.

2. On Dec 17, 2011 Google announced a new warning tag "This site may be compromised." Like the Malware warning notice they will add this warning to any search result listing of a website they believe to have been compromised (hacked) by a 3rd party.

If you see either warning message contact the webmaster and request they investigate if the website has been hacked. If you are the administrator of a site identified with either of these warning messages, you should consult the instructions found in Google's Webmaster Help Center to resolve the problem and request the warnings be removed. Google acknowledge their detection of malware infected or hacked sites is not perfect so websites can get labelled as harmful or compromised when they are not.

3. If a hacker gets into your email / webmail accounts they could be sending 10’s or 100’s of thousands of SPAM emails that could get your site email addresses black listed and cause your web host to suspend or terminate your hosting account.

4. If a hacker gets into your site databases they could extract personal data and credit card details if you keep them on your hosting server, even if it’s an SSL (https) server. This information they will use for fraud or sell for a profit. This could severely affect your ability to ever process online transactions again using any leading credit card company.

5. If a hacker can gain access to your website they can add their own files and scripts which could be designed to do a whole range of things from redirecting your visitors to another website to injecting a Trojan virus that will wreak untold havoc.

If the hacker sets up redirect links to websites that Google regards as bad or black-listed the ranking of your website will suffer when Google finds these bad links on your website, which they will.

6. Even if your website just gets hacked for fun you could end up with your web page content being replaced with porn or spam, which could not only be embarrassing for you, but also hurt your web page and site rankings with the search engines.

I’m not telling you all this to scare you, just to point out what could happen
and the impact this could have on your website, on your search rankings
and your business if your website gets hacked

Checking website security is NOT your web hosts responsibility

Your web host's concern is for the overall security of their servers and the applications they run on them, not the applications and scripts you or a hacker runs on your hosting space.

If you or your webmaster installs a content management system (CMS) or web platform like Wordpress, Drupal, Joomla or any other commercial or free script the responsibility for your website security is yours. The first response of your web host if your website gets hacked may be to shut it down until you get the problem fixed.

And if your site is down and offline for too long, Google could remove your website from their index and getting your rankings back may take a very long time. This is because Google will completely reassess your entire website and what it should be ranked for when it comes back and this can take weeks and sometimes months. Meanwhile your search engine traffic will have plummeted to a trickle.

Hacking probes often check if you have website platforms like Wordpress, phpBB or other Bulletin Board, Drupal, Joomla, phpNuke or any well known shopping cart. They also frequently probe for the location of your website’s MySQL databases or webmail. Sometimes they look for the location of a previous hacker’s files that may already exist on your web server space.

Any forms you have on your website for subscriptions, contact us, leave a comment, upload photos, guestbook entries or other means for users to make an input are also being probed for a back-door way in to your website.

One of my clients once had someone install a guestbook on their website where people could leave comments. The guestbook was hijacked by a hacker for 5 months without the website owner even knowing about it until I discovered it. The hacker had uploaded a javascript file in the comment field which redirected any guestbook visitor to the hackers own website. There they proudly displayed a list of all the other websites they had hacked, including my clients.

And this required no special skills almost anyone with a little know-how could have done it.

This guestbook was hijacked because the guestbook script was old and not kept up to date and because the webmaster had incorrectly configured it when it was installed.

As well as looking for known vulnerabilities in common web applications and forms that you may have installed on your website, hackers are also looking to exploit weaknesses in the way you or your webmaster have configured web applications and scripts on your website.

How I discovered my websites were probed daily

When I discovered my websites were being probed everyday I had not set out to monitor hacking activity. I installed a script for an entirely different purpose, the by-product of which gave me daily emailed reports of files being searched for that did not exist on my website.

There are many different attacks hackers can conduct to take control of a website. In general, the most common and dangerous ones are SQL injection and cross-site scripting (XSS).

SQL injection
This involves injecting a piece of malicious code into a web application in order to change its behaviour. This is done by exploiting security loop-holes in the applications database.

Once the database is compromised a hacker can manipulate URLs, access form information including search, login, email registration and passwords and extract sensitive personal data. They can also inject data into a database and if this belongs to your web platform or CMS they can change the content and links on any of your web pages.

Cross-Site Scripting (XSS)
Another popular technique with hackers is cross-site scripting which involves injecting malicious code to exploit security weaknesses in the web platform used to generate web pages. This allows the hacker to intercept or manipulate data obtained or presented to someone visiting an infected web page on your site.

SQL injection and cross-site scripting are just two of the many techniques used by hackers to attack and exploit innocent unsuspecting and vulnerable websites, there are many more.

Do you use any of these 400 web applications ?

If you have any of the following 400 web applications or scripts running on your website then you have good reason to be concerned about being at risk from a hacker. The lists you can access below are by no means complete, just lists of the more commonly known vulnerabilities.

If the applications you are running are not on this list
it does not mean you are safe from a hacker,
just you are less at risk.

1 - A. Web Applications & Script Vulnerabilities

35 Web Applications & Scripts with known website security issues and names beginning 1 to A.

[View Website Security Checklist 1 - A ...]


B - C. Web Applications & Script Vulnerabilities

47 Web Applications & Scripts with known website security issues and names beginning B to C.

[View Website Security Checklist B - C ...]


D - F. Web Applications & Script Vulnerabilities

47 Web Applications & Scripts with known website security issues and names beginning D to F.

[View Website Security Checklist D - F ...]


G - L. Web Applications & Script Vulnerabilities

42 Web Applications & Scripts with known website security issues and names beginning G to L.

[View Website Security Checklist G - L ...]


M - O. Web Applications & Script Vulnerabilities

55 Web Applications & Scripts with known website security issues and names beginning M to O.

[View Website Security Checklist M - O ...]


P. Web Applications & Script Vulnerabilities

64 Web Applications & Scripts with known website security issues and names beginning P.

[View Website Security Checklist P ...]


Q - S. Web Applications & Script Vulnerabilities

42 Web Applications & Scripts with known website security issues and names beginning Q to S.

[View Website Security Checklist Q - S ...]


T - V. Web Applications & Script Vulnerabilities

28 Web Applications & Scripts with known website security issues and names beginning T to V.

[View Website Security Checklist T - V ...]


W - Z. Web Applications & Script Vulnerabilities

45 Web Applications & Scripts with known website security issues and names beginning W to Z.

[View Website Security Checklist W - Z ...]


12 website security checks you can do on your website

Here are some simple measures you can take to minimize the chances of one of these probes hacking your web applications, finding your script files or hijacking your website.

1. DO NOT use default locations and directory names in the installation of a web application or script if at all possible. This minimizes the chances of a hacker finding your script files.

2. DO NOT leave install files on your web server which the hacker once having found could run again to change your configuration settings to access and control your scripts.

3. DO NOT use simple or short numeric only passwords for login to admin areas. Use passwords with a mixture of numbers, lower and upper case letters at least 10 characters in length. The longer the password the more difficult it is for a hacker to crack.

4. DO NOT use the same password more than once.

5. DO NOT leave FTP log files in directories after uploading via FTP, delete them as they contain useful information a hacker could use.

6. DO NOT upload readme.txt files when installing scripts that could be downloaded by a hacker to determine information about the scripts you have installed.

7. SET file permissions carefully on critical script files. Badly designed scripts and poorly set file permissions on your hosting server can result in hackers being able to exploit these files.

8. ADD a blank index page to all directories that do not have one to stop someone being able to list the file contents of your directories in their browser.

9. KEEP installed web applications and scripts up to date with any security patches.

10. AVOID using old free scripts not well supported or not kept up to date.

11. ROUTINELY check your website files looking for files or folders you have not installed. If you find something first check with you web host they did not install what you found before deleting it. Sometimes a hacker will have installed files you can not delete, so you will need to contact the web-host to delete them for you.

12. ROUTINELY use a website security checker to scan your website for vulnerabilities particularly after installing web applications or scripts.

website audit experts

For a complete website evaluation covering over 120 different aspects of good quality website design including a website security audit download our website checklist.

To your Success
Tony Simpson
Website Auditor