The Internet is filled with thousands of miscreants waiting for the right opportunity and means to hack into your server and do all sorts of evil with your websites. There are plenty of ways in, from OS vulnerabilities to web application security holes. Knowing that reality, there is absolutely no reason why you should make it easy for them. The following are four ways to give hackers a free all-access pass to your server, so you should avoid them.
1. Guessable Passwords – Why are things so simple so hard to convince people to do? You can remember the words to hundreds of songs but cannot take the time to memorize a password more complex than “bigdaddy”. Hackers normally use software tools to guess passwords, but many are easy enough to guess without them.
2. Accessible Root Account – There is no reason for you to login as root on a regular basis, and if you leave your root account exposed to the Internet, hackers may use brute force attacks to guess the password. If your SSH or any other service allows root logins, you will give attackers immediate access and full control
3. Guest/Test Accounts – Sometimes you need to create a test account to make sure everything is working right. That is fine. The two mistakes are leaving the test account open indefinitely and making the password something like “test”. Do not name the user “guest” and make the password “test”. Be a little more creative.
4. “Hack Me” Scripts – Some scripts are known to be weak. For years, hackers exploited the old Formmail script that every other website used. Make sure the scripts you use are secure, and if you are not sure, do some research before trusting an unknown developer.