how to secure my website

Question

I know securing any website is a very tough and broad topic to be discussed upon but i want to relate this question to my specific website which i've been working on. It was coded in php by some other programmer around 2004 and i am responsible for it's management. My problem is it's being hacked time and again. I have noticed following things when it's been hacked.

1. .htaccess file has been modified
2. index.php and config.php files were modified
3. Admin password has been changed
4. Uploading files in server
5. changing file permission of files and folders

I have worked on the code, it has been properly escaped and i think there is no probability of sql injection. Since most of the problem is related to files and permission i have a doubt about the server security but due to the reason that it was coded around 2004 surely it will lack some security, so what other things do i need work upon in my code to prevent my site being hacked for above mentioned problems?

Thanks in advance.

Answer 1

Since files have been modified, this is unlikely due to SQL injection bugs.

Possibilities to get to the files:

• Guess/steal your FTP password
• Hack the server (you can't really do anything about that)
• Insufficient isolation on the server, meaning other customers can change your files (you can't really do anything about that either)
• Remote code execution bugs

Now since you say the website is from 2004, it could be that it uses eval for templating or include for things like site.php?section=foo and then include foo.php in the code somewhere which were both done frequently back in 2004. So I'd do a quick file search for eval and the regex include(.*\$.*) as well as require(.*\$.*). Those are prime suspects depending on how they were used.