0
0

6 Tips To Secure Your Website

sodiart No Comments 0 likes Security
Listen to this article

Most people online are good, honest men and women. But, there are some people browsing the internet who derive fun from poking around websites and finding security holes. A few straightforward tips can help you secure your website in the fundamental ways. Now, clearly, the subject of information security is a complicated one and way beyond the scope of this column. But, I’ll address the very basics one should do which will alleviate many potential issues which may enable people to find things they should not.

Password Protecting Directories

If you’ve got a directory on your server which should remain private, do not depend on people not to guess the name of this directory. It is much better to password protect the folder in the server level. Over 50% of sites out there are powered by Apache server, so let us look at how to password protect a directory on Apache.

Apache takes setup commands using a file called .htaccess that sits at the directory. The controls in .htaccess have impact on that folder and any sub-folder, unless your particular sub-folder has its own .htaccess file inside. To password protect a folder, Apache also uses a file called .htpasswd. This file includes the names and passwords of users given access. The password is automatically encrypted, which means you have to use the htpasswd program to create the passwords. To get it, go to the command line of your server and type htpasswd. If you get a”command not found” error then you will need to contact your system admin. Additionally, remember that many web hosts provide web-based methods to procure a directory, so they might have things setup for you to do it that way rather than in your own. Barring this, let us continue.

Sort”htpasswd -c .htpasswd myusername” where”myusername” is the username that you want. Then you will be asked for a password. Verify it and the file will be created. You can double check this via FTP. Moreover, if the file is within your web folder, you should move it so that it isn’t accessible to the general public. Open or make your .htaccess file. Inside, include the following:

AuthUserFile /home/www/passwd/ / .htpasswd
AuthGroupFile /dev/null
AuthName “Secure Folder”
AuthType Basic

Need valid-user

On the first line, fix the directory path to where your .htpasswd file is. When this is set up, you’ll get a popup dialog when visiting that folder onto your site. You’ll be asked to log in to view it.

Switch Off Directory Listings

By default, any directory in your site that does not possess a known homepage (index.htm, index.php, default.htm, etc.) is going to instead display a list of all the files from that folder. You may not want folks to see all you’ve got on there. The simplest approach to protect against this is to just create a blank file, name it index.htm and upload it into the folder. Your next alternative is to, use the .htaccess file to disable directory list. To do so, just include the line”Options -Indexes” from the file. Currently, users will get a 403 error as opposed to a listing of files.

Remove Install Files

In case you install applications and scripts to your site, many times they include installation and/or update scripts. Leaving these in your own server opens up a enormous security problem since if someone else knows that software, they can find and run on your install/upgrade scripts and therefore reset your whole database, config files. A well written software package will warn you to remove these items before letting you utilize the software. Nonetheless, make sure that this has been done. Simply delete the files from the server.

Keep Up with Security Upgrades

Those who operate applications packages on their site need to keep in touch with updates and security alerts concerning that program. Doing this can leave you open to hackers. In fact, many times a glaring security hole is found and reported and there is a lag before the inventor of the software can release a patch for this. Anybody so inclined can discover your website running the program and exploit the vulnerability should you not update. I myself have been burned by this a couple times, having entire forums become destroyed and having to restore from backup. It happens.

Reduce Your Infection Reporting Level

Discussing mainly for PHP here since that is what I work in, errors and warnings generated by PHP are, by default, printed with full information to your browser. The challenge is that these errors usually contain full directory paths to the scripts in question. It gives far too much info. To relieve this, decrease the error reporting amount of PHP. You can do this in 2 ways. One is to adjust your php.ini file. This is the most important configuration for PHP on your own server. Look for the error_reporting and display_errors directives. But should you not have access to this file (many on shared hosting don’t ), it is possible to even decrease the error reporting level using the error_reporting() function of PHP. Include this at a global file of the scripts that way it will work upon the board.

Secure Your Forms

Types open a broad hole to a own server for hackers if you do not correctly code them. Since these forms are often submitted to a script in your own server, sometimes using a database, a kind that does not provide any security can provide a hacker direct access to all sorts of items. Remember. . .just because you’ve got an address area and it says”Address” in front of it does not necessarily mean that you can trust individuals to enter their address in that area. Imagine your form isn’t correctly coded and the script that it submits to isn’t either. What’s to stop a hacker from entering an SQL query or html code within that address area? With that in mind, here are a Couple of things to perform and look for:

Use MaxLength. Input fields in type can use the maxlength attribute in the HTML to limit the period of input forms. Use this to help keep people from penetrating WAY too much information. This will stop a lot of people. A hacker may skip it, which means you must protect against information overrun in the script level as well.

Hide Emails If using a form-to-mail script, do not include the email address into the form . It defeats the stage and spam spiders can still find your email address.

Use Form Validation. I will not get into a lesson about programming here, however, any script that a form submits to should confirm the input . Ensure that the subjects obtained are the fields anticipated. Check that the incoming information is of reasonable and anticipated length as well as the proper format (in the case of emails, phones, zips, etc.).

Prevent SQL Injection. A full lesson about SQL injection can be booked for another guide, however the fundamentals is that type input is allowed to be added directly into an SQL query without identification and, thus, providing a hacker the ability to execute SQL queries via your internet form. To avoid this, check the information type of incoming information (strings, numbers, etc.), run decent form validation per above, and write queries in such a manner that a hacker can’t insert anything into the kind which would make the question do something other than you intend.

Conclusion

Website safety is a rather involved subject and it get a great deal more technical than this. Nevertheless, I’ve provided you a basic primer on some of the easier things you can do on your site to alleviate the majority of threats to your site.

Tags: , ,
Share This Post
Written by sodiart
Ich bin der Inhaber von Sodiart
Have your say!
00

Customer Reviews

5
0%
4
0%
3
0%
2
0%
1
0%
0
0%

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

    Thanks for submitting your comment!