I've been corresponding with someone (this morning) that had a fully patched Drupal 6.15 website hacked. Since I often work with Drupal, this caught my attention. The hacker modified their bootstrap file which effects the entire website's content on this particular database driven website. They inserted links to various and sundry things with which the website owner no doubt wanted nothing to do. How embarrassing. It actually happens quite often, and to relatively well known people much more than it should. It even happens to well known tech advisers (not me, so far).

If you have an FTP account, that's very insecure all by itself. FTP passes its text in clear, exposing your username and password every time you log in. Only a very secure network should be trusted with unencrypted passwords like that. I don't have a network I consider that safe - in other words, don't do it!

If you're using a typical big hosting company they don't likely limit file access to FTP accounts. That means anyone who has access to the server (which could be anyone who dropped a real or fake credit card on your host for an account on those shared hosting packages) can view your files and that means they have access to your configuration files as well. If you use a database driven website (like Wordpress, Joomla, Drupal, etc.) that means your database is exposed in additional to any 777 permission files. The hacker doesn't even have to hack in such a case. He just gains access to the server and has his way with your website.

Your big (cheap) hosting service probably doesn't limit the number of times you can attempt a login from a single IP. Someone could pick up the password by sniffing the traffic if you're using FTP. But, they can as easily run a brute force attack against your password and crack it in minutes. Even with an incredibly complex password, you can throw a sequence of possible password combinations at an account and eventually break the password. It's hardly a challenge.

I see these attacks against my servers all the time. I watch the logs to see what account usernames are being accessed. As long as they never start beating on a real account, I've nothing to worry about. But, there's three simple steps to avoiding this kind of attack: don't use FTP, don't allow unlimited attempts and don't build websites that allow unlimited login attempts. This at least bars the unsophisticated hacker from waltzing into your website.