Password Protecting Directories

If you’ve got a directory on your server that ought to stay private, do not rely on folks to not guess the name of the directory. It is better to password shield the folder at the server level. Over 50% of websites out there are powered by Apache server, therefore let’s examine the way to password shield a directory on Apache.

Apache takes configuration commands via a file called .htaccess which sits within the directory. The commands in .htaccess have impact on that folder and any sub-folder, unless a explicit sub-folder has its own .htaccess file within. To password shield a folder, Apache conjointly uses a file called .htpasswd . This file contains the names and passwords of users granted access. The password is encrypted, thus you need to use the htpasswd program to form the passwords. To access it, visit the command line of your server and kind htpasswd. If you receive a “command not found” error then you wish to contact your system admin. Also, bear in mind that a lot of internet hosts give net-based mostly ways to secure a directory, thus they’ll have things set up for you to do it that approach rather than on your own. Barring this, let’s continue.

Kind “htpasswd -c .htpasswd myusername” where “myusername” is the username you want. You may then be asked for a password. Ensure it and therefore the file can be created. You’ll double check this via FTP. Additionally, if the file is within your internet folder, you must move it thus that it is not accessible to the public. Now, open or create your .htaccess file. Inside, include the subsequent:

AuthUserFile /home/www/passwd/.htpasswd
AuthGroupFile /dev/null
AuthName “Secure Folder”
AuthType Basic

need valid-user

On the first line, regulate the directory path to wherever your .htpasswd file is. Once this is founded, you will get a popup dialog when visiting that folder on your website. You may be needed to log in to view it.

Flip Off Directory Listings

By default, any directory on your website which does not have a recognized homepage file (index.htm, index.php, default.htm, etc.) goes to instead show an inventory of all the files in that folder. You would possibly not need people to see everything you’ve got on there. The simplest method to shield against this is to easily produce a blank file, name it index.htm and then upload it to that folder. Your second possibility is to, again, use the .htaccess file to disable directory listing. To do therefore, simply embrace the road “Choices -Indexes” in the file. Currently, users can get a 403 error rather than a listing of files.

Remove Install Files

If you install software and scripts to your website, several times they are available with installation and/or upgrade scripts. Leaving these on your server parades an enormous security problem as a result of if someone else is acquainted with that software, they’ll notice and run your install/upgrade scripts and thus reset your entire database, config files, etc. A well written software package will warn you to remove these items before permitting you to use the software. However, make sure this has been done. Simply delete the files from your server.

Keep Up with Security Updates

Those that run software packages on their website need to keep in touch with updates and security alerts referring to that software. Not doing so will leave you wide open to hackers. After all, several times a obvious security hole is discovered and reported and there is a lag before the creator of the software will release a patch for it. Anybody therefore inclined will find your website running the software and exploit the vulnerability if you are doing not upgrade. I actually have been burned by this some times, having whole forums get destroyed and having to restore from backup. It happens.

Cut back Your Error Reporting Level

Speaking mainly for PHP here as a result of that’s what I work in, errors and warnings generated by PHP are, by default, printed with full info to your browser. The problem is that these errors usually contain full directory paths to the scripts in question. It provides away an excessive amount of information. To alleviate this, cut back the error reporting level of PHP. You’ll do this in two ways. One is to adjust your php.ini file. This is often the most configuration for PHP on your server. Seek for the error_reporting and display_errors directives. But, if you do not have access to this file (several on shared hosting don’t), you can also reduce the error reporting level using the error_reporting() operate of PHP. Embrace this in an exceedingly international file of your scripts that method it will work across the board.

Secure Your Forms

Forms open up a good hole to your server for hackers if you are doing not properly code them. Since these forms are sometimes submitted to some script on your server, typically with access to your database, a type that does not provide some protection can supply a hacker direct access to all or any types of things. Keep in mind…just because you have an address field and it says “Address” in front of it does not mean you can trust folks to enter their address in that field. Imagine your form isn’t properly coded and also the script it submits to isn’t either. What is to stop a hacker from entering an SQL query or scripting code into that address field? With that in mind, here are a few things to do and look for:

Use MaxLength. Input fields in kind will use the maxlength attribute within the HTML to limit the length of input on forms. Use this to stay individuals from coming into WAY too much data. This can stop most people. A hacker can bypass it, so you need to defend against data overrun at the script level as well.

Hide Emails If employing a kind-to-mail script, do not include the e-mail address into the shape itself. It defeats the purpose and spam spiders can still find your email address.

Use Kind Validation. I won’t get into a lesson on programming here, but any script which a kind submits to should validate the input received. Ensure that the fields received are the fields expected. Check that the incoming knowledge is of reasonable and expected length and of the correct format (within the case of emails, phones, zips, etc.).

Avoid SQL Injection. A full lesson on SQL injection will be reserved for an additional article, but the fundamentals is that type input is allowed to be inserted directly into an SQL question while not validation and, thus, giving a hacker the power to execute SQL queries via your web form. To avoid this, invariably check the data kind of incoming information (numbers, strings, etc.), run adequate kind validation per on top of, and write queries in such a approach that a hacker cannot insert anything into the shape that would create the question do something alternative than you intend.

Conclusion

Website security is a rather involved subject and it get a LOT a lot of technical than this. However, I have given you a basic primer on a number of the simpler things you can do on your website to alleviate the majority of threats to your website.

Are you making these dangerous mistakes?

Mistake #one: Using the identical password for all your accounts.

Please don’t do this. Use totally different passwords for every email account, and undoubtedly use distinctive passwords for shopping websites where you’d enter your credit card.

Mistake #two: Short passwords

The chance of somebody guessing your password is increasingly tough the more characters are in it. So, select the gusto and make your passwords long.

Mistake #three: BradPitt, Charlie, Sarah, Princess, Barbie, Gandolf — Did I guess it however?

Do not use kids’ names, pet’s name, nicknames, names from characters in books or movies or celebrity names. Even if I did not guess it in my list, someone who knows you could.

Mistake #four: Straightforward to remember English words

Easy to recollect is additionally straightforward to guess. Passwords should not contain English words found during a dictionary. Non-English words or any words in any dictionary are a high risk as well. And, for goodness sakes, if your password is “password” or “test” then it’s a wonder you haven’t been hacked nevertheless!

Mistake #5: Numbers are no-no’s.

Seriously, keep off from birthdays, anniversaries, addresses, social security numbers or telephone numbers. They are all too simple to guess.

Select random passwords for banking sites like PayPal. Combine letters (both uppercase and lowercase) and numbers.

If all of this sounds too onerous to recollect, then contemplate employing a Password program. Most of the good password programs can not solely store your passwords on your computer, however they’ll generate utterly random passwords when you need one.

Here are a few to try.

http://www.fgroupsoft.com/Traysafe/

http://passwordsafe.sourceforge.web/

http://www.treepad.com/treepadsafe/

It’s never a smart time to search out out that someone has stolen money from you — or locked you out of your own email account. It’s a waste of some time and money. Please protect yourself.