How to keep your website secure

Web programming topics
Post Reply
Tony
Lieutenant
Lieutenant
Posts: 86
Joined: Tue Jul 21, 2009 4:11 pm

How to keep your website secure

Post by Tony » Sun Nov 29, 2009 4:33 am

  • Do not use ftp. Use sftp (secure ftp).
  • If you have a forum or use other off-the-shelf scripts, create a subdomain as another site (package). Then the forum will be isolated from the rest of your website. If someone does hack their way in, they cannot reach anything except that forum. It is those open source scripts that always seem to get hacked. If you use one, keep it current.
  • If you are running php, consider using a custom php.ini file. At a minimum you should ensure the following:
    • register_globals = off The only reason to have it on is to allow poorly written scripts to execute on your site. That just invites hacking in the event of coding errors (and there always can be some coding errors). If you have a script that requires register_globals = on, fix it or dump it and get a new script.
    • session.use_trans_sid = 0 This will help prevent revealing the ID of your php sessions in urls.
    • Then there are a few other setting you should consider:
      • Set your own upload_tmp_dir value so uploads are processed in your space rather than in a server shared directory.
      • Set your own session.save_path so session files are stored in your space rather than in a server shared directory. Remember to delete these files on a regular basis. There is a script for doing that on this page.
  • Chmod 750 your docroot directory. This will prevent others on your same server from looking at code and/or configuration files.
    Use file upload scripts rather than giving out ftp access to your site. If you must give out ftp access, set the ftp user so their access is to a directory above public_html. That way what ever they upload cannot be seen or executed from the net.
  • Any file upload scripts should have basic protection built into the script. These protections should includes file type restrictions so no one can upload any scripts or other damaging files, placing the files in an alternate directory for isolation and to ensure no key file is overwritten, file size retrictions, and upload directory size restrictions so the facility is not abused (and you site does not run out of space). You can find a file upload script with these protections on this page.
  • Ensure passwords are random and contain combinations of characters, numbers and symbols. You can find a good password generator on this page (in B&T's Tool Box). And, of course, change your passwords regularly.
  • Send all 403 errors to a 404 page using ErrorDocument in htaccess. There is no reason to let someone know anything is forbidden rather than not there. Why invite an attempted hack?
Top
Post Reply

Return to “Web programming”