Welcome,
Guest
.
Please
login
or
register
.
Did you miss your
activation email
?
News:
Bug reports and fixes
.
Home
Help
Login
Register
Elxis CMS Forum
»
Support
»
Security
»
General Security TIPS
« previous
next »
Print
Pages: [
1
]
Author
Topic: General Security TIPS (Read 8608 times)
CREATIVE Options
Authorized Elxis Professional
Elxis Community
Hero Member
Posts: 2334
Professional services for Elxis CMS
General Security TIPS
«
on:
June 22, 2008, 09:21:07 »
Tips for keeping your website secure
Here are a few Tips for keeping your website secure:
*
Set up a new ftp user. Do not use your primary control panel user for ftp. That way if your ftp user/password does get compromised at least they do not have access to all your settings (although they could still get to some of them through direct file editing).
*
If you have a forum or use other off-the-shelf scripts, create a subdomain as another site (package). Then the forum will be isolated from the rest of your website. If someone does hack their way in, they cannot reach anything except that forum. It is those open source scripts that always seem to get hacked. If you use one, keep it current.
*
If you are running php, consider using a custom php.ini file. At a minimum you should ensure the following:
o
register_globals = off The only reason to have it on is to allow poorly written scripts to execute on your site. That just invites hacking in the event of coding errors (and there always can be some coding errors). If you have a script that requires register_globals = on, fix it or dump it and get a new script.
o
session.use_trans_sid = 0 This will help prevent revealing the ID of your php sessions in urls.
o
Then there are a few other setting you should consider:
+
Set your own upload_tmp_dir value so uploads are processed in your space rather than in a server shared directory.
+
Set your own session.save_path so session files are stored in your space rather than in a server shared directory. Remember to delete these files on a regular basis. There is a script for doing that on this page.
o
Be sure to chmod your custom php.ini file to 600. This will prevent others from viewing the contents of the file.
*
Chmod 600 any PHP sctipt that contains secure information, like usernanes and passwords. This will prevent others on your same server from looking at the code.
*
Use file upload scripts rather than giving out ftp access to your site. If you must give out ftp access, set the ftp user so their access is to a directory above public_html. That way what ever they upload cannot be seen or executed from the net.
* Any file upload scripts should have basic protection built into the script. These protections should includes file type restrictions so no one can upload any scripts or other damaging files, placing the files in an alternate directory for isolation and to ensure no key file is overwritten, file size retrictions, and upload directory size restrictions so the facility is not abused (and you site does not run out of space). You can find a file upload script with these protections on this page.
* Ensure passwords are random and contain combinations of characters, numbers and symbols. You can find a good password generator on this page (in B&T's Tool Box). And, of course, change your passwords regularly.
* Send all 403 errors to a 404 page using ErrorDocument in htaccess. There is no reason to let someone know anything is forbidden rather than not there. Why invite an attempted hack?
[
VIA
]
Logged
Farhad Sakhaei
Elxis Community
Hero Member
Posts: 1190
I know nothing , Should know more & more
Re: General Security TIPS
«
Reply #1 on:
June 22, 2008, 10:00:26 »
I think using SuPHP will increase your security and also you don't need to change any permissions or using ftp account for writing on files and folders ...
Logged
DediData Web Hosting Services
Print
Pages: [
1
]
« previous
next »
Elxis CMS Forum
»
Support
»
Security
»
General Security TIPS