Top tips for securing your website.

[Fearghal]

Ok, After having a conversation with someone and realising how much security their site lacked, I have decided to write some tips.

1. If you have an admin dir (/admin) put a .htaccess in there! (Do NOT use the same username or password as your login account)
   
2. If possible, use SSL to encrypt your login sequence. (Comodo do certs for free!)
   
3. Test out security! If you have denied access to a certain rank or group, login with permissions from that group and see if your security settings actuly work.
   
4. Do not use stong passwords, Use SUPER STRONG UNCRACKABLE CIA STYLE passwords. Hackers can almost guess your password if they study you! If you think your passwords are overkill, then add 3 more characters and your done. Be sure to use Caps, lower case, numbers and special chars. Its better if its something totally random. 7Gdx56)*gdxoiYs7ejs)37djKKs7ej is better than 500'000 different numbers.
   
5. Do not make anyone you have not known for at least 5 years a rank which has admin level access.
   
6. Always delete the install dir, wither its locked or not.
   
7. If there is a new security update for software you have, use it!
   
8. Including an empty index.html file in your unaccessed directorys will prevent anyone from browsing the otherwise wide-open directory. (For example, a Backup dir which is a SERIOUS security risk.
   
9. If you do have auto-backups, ensure the computer gives them some sort of random name like "Backup_55651615" to prevent a threat downloading your database with user info protected by the DPA (Data Protection act).
   
10. CHMOD your files to stop users making unauthorised changes. This is obviously a serious risk.
    
    (*Tip Chmod your .htpasswd files 640, .htaccess files 644. Chmod files that you really dont want people to see as 400 (config.php) and NEVER chmod 777, if something requires write access use 766 first then 775)

I really hope you all listen to these suggestion, because if one site's security is compromised, so is every other site on the same server, unless x10hosting have ensured all sites are on different partitions which I doubt.

However, I have no doubt x10 has taken extensive security mesures, so should you.

Thanks for reading.

If you have any more security suggestion I have not mentioned, please post them here, Thanks.

[tittat]

thanks fearghal for this simple but great tips!

[sunils]

Thanks for the great tips

[Fearghal]

Your welcome guys :happysad:

[Myokram]

Thanks for this guide ;).

Including an empty index.html file in your unaccessed directorys will prevent anyone from browsing the otherwise wide-open directory. (For example, a Backup dir which is a SERIOUS security risk.

There are other ways to do so. I think it's much better to use .htaccess:

Code:

deny from all

Will prevent accessing a directory and files/subdirectories within it using a browser request. Scripts running in server-side will be able to tough. This is best for backup folders, protected files like "includes" scripts, etc.

Another option is

Code:

Options -Indexes

This will prevent listing a directory content when there's no an index page. However files will be accessible using a browser. This is recommended for images folders, javascript folders, etc.

Greets!

[Fearghal]

Thanks for this guide ;).

There are other ways to do so. I think it's much better to use .htaccess:

Code:

deny from all

Will prevent accessing a directory and files/subdirectories within it using a browser request. Scripts running in server-side will be able to tough. This is best for backup folders, protected files like "includes" scripts, etc.

Another option is

Code:

Options -Indexes

This will prevent listing a directory content when there's no an index page. However files will be accessible using a browser. This is recommended for images folders, javascript folders, etc.

Greets!

Good Idea! Thanks for adding , Although, without the listing they cannot point their browser to the download. However a .htaccess is a great idea

[Myokram]

Preventing directory listing doesn't affect access to files within it. Images included in some HTML page will be displayed with no problem. First method (deny from all) makes all files unaccessible. If there are images in a protected directory with 'deny from all' rule, then we cannot link to them from HTML pages or directly writing the URL in the browser. That is the difference between both.

Greets!

[Fearghal]

Preventing directory listing doesn't affect access to files within it. Images included in some HTML page will be displayed with no problem. First method (deny from all) makes all files unaccessible. If there are images in a protected directory with 'deny from all' rule, then we cannot link to them from HTML pages or directly writing the URL in the browser. That is the difference between both.

Greets!

Thank you for sharing that point with us

[Starshine]

You state in #2 about Comodo. Their free SSL certs are only good for 90 days.

Do you happen to have any that are for longer?
( Like something that you renew once a year for free? )

[Fearghal]

You state in #2 about Comodo. Their free SSL certs are only good for 90 days.

Do you happen to have any that are for longer?
( Like something that you renew once a year for free? )

Im sorry, I didnt realise this was only valid for 90 days. I don't have a dedicated IP so have used other methods to secure my login sequence.

I have found one for $79. I think this is quite cheap as its usally around $200.

You could always keep getting the free trials and just change it around every few months. It would only take an hour or so and you would save nearly $80.

Its up to you.

$79 SSL http://www.rapidssl.com/ssl-certific...e-rapidssl.htm

Good Luck, sorry about that.