Help with securing website from hackers??

[daron0382]

Can somebody help me with securing my website? its not new so its a not at risk now, but i wanna begin securing it from hackers, can someone guide me through it? i wanna be secure from sql injection & everything else

[MaestroFX1]

#1 Restrict access to administrative folders.
#2 Disable directory browsing.
#3 Add captcha to further restrict.
#4 SQL injection attacks.These can allow hackers to execute arbitrary SQL commands on your database through your Web site.To avoid this type of attacks, every piece of data supplied by a user on a Web form must be sanitized/validated so that they do not contain information that is not expected.
You can use php scripts to sanitize, so that data that gets into database is free from attacking statements.

[daron0382]

how to disable directory browsing?

[descalzo]

how to disable directory browsing?

In any .htaccess you have (if you have none, put one in your document root, here it is /home/yourCPanelUsername/public_html ) put the line:

Options -Indexes

[callumacrae]

You can't just say "How can I make my site secure?" and then we'll tell you how to secure it - it's a bit more complicated than that. You haven't even given us a URL

Regarding SQL injections, it's a huge area, but if you use something like PDO and prepared statements, you should be fairly secure.

If your website involves money, you may want to consider paying for a security audit. From what I've heard, it's fairly expensive - I've heard $100 an hour at 1000 lines of code an hour, but it will obviously take less time if it is well documented and well laid out. You may be able to hire a nub like me to do it for you. It'll be cheaper, and not as good quality, but they would probably get the job done.

~Callum

[daron0382]

i dont see how to add that line to my .htaccess because if i try create .htaccess it says it exist & if i browse i dont see it, but if i search it will appear but all i can do from there is double click it & it takes me to public_html

[callumacrae]

It's a hidden file - UNIX files that begin with a dot (.) are not displayed by default. If you're using cPanel file manager you can use the settings in the top left, or if you're using FTP your client will have an option in the preferences. If you're using SSH like a true man, use ls -a

~Callum

[descalzo]

Passwords: 083049llewoL!@amroN
Usernames: The admin user should not be 'admin' or 'root'

That applies to all levels of your site. cPanel/FTP. Admin access to your software (WordPress, Drupal).

Many of the scripts have security plugin/mods. Check them out and use one.

Most scripts have "roles" for users. Interactive is nice, but consider only giving out the most restrictive "roles" you can.

Where possible, store files outside of the document root. If they don't have to be accessible from the Web, they shouldn't be.

[callumacrae]

Where possible, store files outside of the document root. If they don't have to be accessible from the Web, they shouldn't be.

Although if you're using PHP 5 you should be using OO PHP, and so it doesn't really matter - nothing bad will happen, the classes will just be defined and then the script will end

~Callum