Most people online are good people, honest. However, there are some people browsing the Internet that are derived from poking fun websites and finding security holes. A few simple tips can help you secure your website in the basic shapes. Now, obviously, the issue of data security is complicated and beyond the scope of this column. However, I will refer to the basic concepts that one must do what they alleviate many potential problems that could let people see things they should not.
Directory Password Protection
If you have a directory on your server, which should remain private, do not depend on people who do not know the name of the directory. It is best to password protect a folder on the server. Over 50% of websites out there are powered by Apache, so let's find a way to protect a directory in Apache.
Apache has a configuration commands through a file called. Htaccess file found in the directory. Commands. Htaccess has no effect on the folder and any subfolders, unless a sub-folder has its own file. Htaccess inside. To password protect a folder, Apache also uses a file called. Htpasswd. This file contains the names and passwords for access users. The password is encrypted, so you must use the htpasswd program to create passwords. To access it, go to the command line of your server and type htpasswd. If you get a "command not found", then you need to contact your system administrator. Also, keep in mind that many web hosts offer web-based ways to secure a directory, so you can have a setting for you to do it that way instead of on their own. Barring that, let's continue.
Type "htpasswd-c. Htpasswd myusername" where "myusername" is the username you want. You are then prompted for a password. Confirm and the file is created. You can check this via FTP. Also, if the file is inside the Web folder, you should go through what is not accessible to the public. Now, create or open the file. Htaccess. Inside are the following:
AuthUserFile / home / www / passwd / htpasswd
AuthGroupFile / dev / null
AuthName "Secure Folder"
AuthType Basic
Require valid-user
In the first line, set the directory path to anywhere in your file. Htpasswd is. Once created, a dialog will pop up when you visit that folder to your website. You must log in to see.
Turn off directory listings
By default, any directory on its website that file does not have a recognized start page (index.php index.htm, default.htm, etc.) to display instead of a list of all files in that folder. You may not want people to see everything you have on there. The easiest way to protect against this is to simply create a blank file, the index name. htm and then upload to the folder. The second option is that, once again, use the. Htaccess file to disable directory listing. To do this, simply include the line "Options-Indexes" in the file. Now, users will receive a 403 error instead of a file list.
Remove install files
If you install the software and scripts to your site, often come with installation / upgrade scripts. Leaving these on the server opens a huge security problem because if someone is familiar with this software, you can find and run the install / upgrade scripts and thus restore its database, configuration files, etc. A good software package written warning that will remove these items before allowing you to use the software. However, make sure that this has been done. Simply delete the files on your server.
Keep up with security updates
Those who run software packages on your web site needs to keep in touch with updates and security alerts associated with that software. Not doing so can be left open to hackers. In fact, many times a security hole is discovered and reported clear and there is a delay before the software creator can release a patch for it. Anyone you wish you can find your site running the software and exploit the vulnerability are not updated. I myself have been burned by this a few times, everything is destroyed forums and having to restore the backup. What happens.
Reduce the level of error reporting
Speaking mostly for PHP here because that is what we work, errors and warnings generated by PHP, by default, printed with complete information on your browser. The problem is that these errors often contain full paths of the scripts directory in question. It gives too much information. To alleviate this, reduce the level of PHP error reporting. You can do this in two ways. One is to adjust your php.ini file. This is the main PHP configuration on your server. Look error_reporting display_errors and directives. However, if you do not have access to this file (many shared hosting not), can also reduce the level of error reporting with error_reporting () function of PHP. Include this in a global archive of scripts that way it works in all areas.
Secure formS
Ways to open a big hole in your server for hackers if not properly code. Since these formS are usually submitted to a script on the server, sometimes with access to its database, a form that provides some protection can offer a hacker direct access to all sorts of things. Please note ... just because you have an address field that says "Address" in front of it does not mean you can trust people to enter his home in that field. Imagine that your form is not well codified and the script is submitted to either. What is to stop a hacker entering a SQL query or the programming code in the address field? With this in mind, here are some things to do and consider:
Use MaxLength. Input fields in form can use the maxlength attribute in the HTML code to limit the length of the entry formS. Use this to keep people from entering WAY too much data. This will prevent most people. A hacker can bypass it, so information must be protected at invaded script.
Hide email If you are using a script-to-mail form, do not include the email address on the form. Defeat the points and spam spiders can still find your email address.
Use the form validation. I will not go into a lesson on programming here, but any script that submits a form to validate the information received. Make sure the fields are expected fields. Check that the input data is reasonable and expected length and format (in the case of e-mails, phones, zippers, etc.).
Avoiding SQL injection. A complete lesson on SQL injection can be reserved for another article, however, the basics is that form input is allowed to be inserted directly into an SQL query without validation, and therefore give a hacker the ability to execute SQL queries through their web form. To avoid this, always check the type of input data (numbers, strings, etc), execute properly validating the top, and write the questions so that a hacker can not insert anything in the way the query would not something that is not your intention.
Conclusion
Website security is a very complicated issue and get much more technical than this. However, I have given a basic primer on some of the easiest things you can do on your site to alleviate most of the threats to your website.
Topic: 6 TIPS TO SECURE YOUR WEBSITE (Read 1196 times)
