Basic Steps To Secure Your Website

Posted by admin in Website Security on 12 10th, 2009 | 2 responses

Most individuals on the internet are sensible, honest people. However, there are some folks browsing the internet who derive fun from poking around websites and finding security holes. Some simple tips will facilitate your secure your website in the essential ways. Now, clearly, the subject of information security may be a difficult one and means beyond the scope of this column. But, I can address the very basics one ought to do that will alleviate several potential problems that may enable folks to work out things they shouldn’t.

Password Protecting Directories

If you’ve got a directory on your server that ought to stay private, do not rely on folks to not guess the name of the directory. It is better to password shield the folder at the server level. Over 50% of websites out there are powered by Apache server, therefore let’s examine the way to password shield a directory on Apache.

Apache takes configuration commands via a file called .htaccess which sits within the directory. The commands in .htaccess have impact on that folder and any sub-folder, unless a explicit sub-folder has its own .htaccess file within. To password shield a folder, Apache conjointly uses a file called .htpasswd . This file contains the names and passwords of users granted access. The password is encrypted, thus you need to use the htpasswd program to form the passwords. To access it, visit the command line of your server and kind htpasswd. If you receive a “command not found” error then you wish to contact your system admin. Also, bear in mind that a lot of internet hosts give net-based mostly ways to secure a directory, thus they’ll have things set up for you to do it that approach rather than on your own. Barring this, let’s continue.

Kind “htpasswd -c .htpasswd myusername” where “myusername” is the username you want. You may then be asked for a password. Ensure it and therefore the file can be created. You’ll double check this via FTP. Additionally, if the file is within your internet folder, you must move it thus that it is not accessible to the public. Now, open or create your .htaccess file. Inside, include the subsequent:

AuthUserFile /home/www/passwd/.htpasswd
AuthGroupFile /dev/null
AuthName “Secure Folder”
AuthType Basic

need valid-user

On the first line, regulate the directory path to wherever your .htpasswd file is. Once this is founded, you will get a popup dialog when visiting that folder on your website. You may be needed to log in to view it.

Flip Off Directory Listings

By default, any directory on your website which does not have a recognized homepage file (index.htm, index.php, default.htm, etc.) goes to instead show an inventory of all the files in that folder. You would possibly not need people to see everything you’ve got on there. The simplest method to shield against this is to easily produce a blank file, name it index.htm and then upload it to that folder. Your second possibility is to, again, use the .htaccess file to disable directory listing. To do therefore, simply embrace the road “Choices -Indexes” in the file. Currently, users can get a 403 error rather than a listing of files.

Remove Install Files

If you install software and scripts to your website, several times they are available with installation and/or upgrade scripts. Leaving these on your server parades an enormous security problem as a result of if someone else is acquainted with that software, they’ll notice and run your install/upgrade scripts and thus reset your entire database, config files, etc. A well written software package will warn you to remove these items before permitting you to use the software. However, make sure this has been done. Simply delete the files from your server.

Keep Up with Security Updates

Those that run software packages on their website need to keep in touch with updates and security alerts referring to that software. Not doing so will leave you wide open to hackers. After all, several times a obvious security hole is discovered and reported and there is a lag before the creator of the software will release a patch for it. Anybody therefore inclined will find your website running the software and exploit the vulnerability if you are doing not upgrade. I actually have been burned by this some times, having whole forums get destroyed and having to restore from backup. It happens.

Cut back Your Error Reporting Level

Speaking mainly for PHP here as a result of that’s what I work in, errors and warnings generated by PHP are, by default, printed with full info to your browser. The problem is that these errors usually contain full directory paths to the scripts in question. It provides away an excessive amount of information. To alleviate this, cut back the error reporting level of PHP. You’ll do this in two ways. One is to adjust your php.ini file. This is often the most configuration for PHP on your server. Seek for the error_reporting and display_errors directives. But, if you do not have access to this file (several on shared hosting don’t), you can also reduce the error reporting level using the error_reporting() operate of PHP. Embrace this in an exceedingly international file of your scripts that method it will work across the board.

Secure Your Forms

Forms open up a good hole to your server for hackers if you are doing not properly code them. Since these forms are sometimes submitted to some script on your server, typically with access to your database, a type that does not provide some protection can supply a hacker direct access to all or any types of things. Keep in mind…just because you have an address field and it says “Address” in front of it does not mean you can trust folks to enter their address in that field. Imagine your form isn’t properly coded and also the script it submits to isn’t either. What is to stop a hacker from entering an SQL query or scripting code into that address field? With that in mind, here are a few things to do and look for:

Use MaxLength. Input fields in kind will use the maxlength attribute within the HTML to limit the length of input on forms. Use this to stay individuals from coming into WAY too much data. This can stop most people. A hacker can bypass it, so you need to defend against data overrun at the script level as well.

Hide Emails If employing a kind-to-mail script, do not include the e-mail address into the shape itself. It defeats the purpose and spam spiders can still find your email address.

Use Kind Validation. I won’t get into a lesson on programming here, but any script which a kind submits to should validate the input received. Ensure that the fields received are the fields expected. Check that the incoming knowledge is of reasonable and expected length and of the correct format (within the case of emails, phones, zips, etc.).

Avoid SQL Injection. A full lesson on SQL injection will be reserved for an additional article, but the fundamentals is that type input is allowed to be inserted directly into an SQL question while not validation and, thus, giving a hacker the power to execute SQL queries via your web form. To avoid this, invariably check the data kind of incoming information (numbers, strings, etc.), run adequate kind validation per on top of, and write queries in such a approach that a hacker cannot insert anything into the shape that would create the question do something alternative than you intend.

Conclusion

Website security is a rather involved subject and it get a LOT a lot of technical than this. However, I have given you a basic primer on a number of the simpler things you can do on your website to alleviate the majority of threats to your website.