I have a website that keeps on getting hacked...
 

Custom made script, PHP. Host doesn't want to help.

Suggestions?

Step 1. Get a good PHP coder to look at the script.

Step 2. Get an actual expert to do a security audit.

If you have no money to spend, there are some tips here:
appsec - How to perform a security audit for a PHP application? - Information Security Stack Exchange

Host is telling me to go here.

https://sucuri.net

I don't want to pay a monthly fee for their firewall.

sucuri.net is a good start.

does your script use a database? have an admin area with elevated privledges?
allow uploads of images or posting of text?

if you can, scan all files for "base64_decode(" & other common tale tale signs of compromise. "can't remember off the top of my head but a quick google search should point you in the right direction".

Yes, it does, but I don't update the website anymore.

I am afraid I am not that technical to do the simplest of programming.

Custom scripts often have security issues. Sometimes from laziness, sometimes because the coder simply didn't know better. Odds are your script is also on the older side, meaning no updates in years, making matters even worse.

If you care about your site, spend the money to get it patched up. Otherwise there is not much that can be done.

Yes, that's what I am looking to do. The site doesn't bring in a whole lot of money, but it's getting hacked WEEKLY. LOL

Yeah I guess if it's possible to disable all user input (forms, uploads), and make the site "read only", that can be a solution. :p

Unless you have some bad file in your system already. :p

So, if I remove all the malware, can I then make it read only and the website will be safe?

If you dont plan to update site anymore, you could simply convert all content to HTML format and delete anything in PHP.

They could have meant this tool:
https://sitecheck.sucuri.net/

Well your chances would definitely improve. As roxpoxy said, many breaches are done through Forms and Uploads.

But I guess it's also not impossible that some PHP scripts get hacked just by using simple URL parameters, if they're done really badly. It's not my expertise, just guessing really.

That would work :-)

Any of you fuckers want to help and get paid for your time? =]

LMK

Ask your host to change all the permissions they can to read only any decent managed host should have at least 1 tech with coding skills that can do this for you.

I use Filezilla to do that, is that as good as any other way to change permissions or is there another way that I should do it to be safer?

this :2 cents:

Everything changed to read only. Let's see if I get fucked in a week or two!

contact WOJ he can help! or quantox

About to launch a new site, just marking this thread in case I run into the same issues.:2 cents:

Wordpress website?

contact woj, and get your php code updated and look for user input sanitization.

woj is fantastic for "getting the job done" and "great service" :thumbsup