General Web Site Security Tips

From Lunarpages Web Hosting Wiki
Jump to: navigation, search

Here are some great common web site security tips that everybody hosted on Lunarpages should at least check into.

1. Use a secure password and change it every 3 months.

A secure password will be at least 8 characters long, numbers and letters, uppercase and lowercase, no full words, no common character combinations like “pass”, “password”, “12345678”, etc.

2. Set permissions for all folders on the account to 755 (ignore instructions stating 777 is needed since our servers are setup to use 755 instead).

Set permissions for all files other than perl or python scripts to 644. You can do this en masse via FTP or you may email support@lunarpages.com and ask us to do it for you via shell. If we do it, please check permissions on .cgi, .pl, and .py afterward and change them back to 755.

3. Register_globals is often abused by hackers and should be set to Off.

You can check to see if they are enabled on the server by creating a phpinfo.php file under public_html with the following code:

<?
phpinfo();
?>

Browse to the file and check if Register_Globals are On. On our servers, they are set Off by default. If they are On, check your php.ini file and set them Off. You can enable them on a folder by folder basis if needed for some scripts by adding a new php.ini file with the correct setting under the script's subfolder. Be sure to also add to .htaccess under the subfolder the following line:

suPHP_ConfigPath /home/username/public_html/subfoldername (edit username and subfoldername)

4. Disable 'allow_url_fopen' and 'allow_url_include' (PHP5) in php.ini.

allow_url_fopen = Off
allow_url_include = Off

Keep in mind that some scripts may need these so be sure to check your site after but try to run without them if possible since hackers use these often.

5.Use Index Manager in cPanel to disable the showing of indexes in all folders or manually add the following to .htaccess:

Options -Indexes

You can also put a blank index file in any folders with sensitive info to be sure they will stay unlisted.

6. Prevent the viewing of .htaccess and php.ini. Add the following to .htaccess:

<Files .htaccess>
order allow,deny
deny from all
</Files>
<Files php.ini>
order allow,deny
deny from all
</Files>

7. Add the following to .htaccess to help prevent XSS attacks:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Then create an index_error.php file to tell the bad boys whatever you want and upload the file under the same folder as .htaccess. Refer to http://addons.oscommerce.com/info/6044 for more info.

8. Do NOT use your control panel login as your database username and password.

Create a new user for each database and add it to the database. Be sure to use a secure password. While on this subject, do not add % as an access host unless you really need to access the database remotely. You can add it long enough to do what you may need to do and then delete it if not needed all the time.

9. Keep ALL scripts on the account up to date to the latest versions.

If you do not use a script, delete it. Be sure to check your account now and then for unused scripts and delete them after being sure you have a backup in case you change your mind. We often find folders with old copies of scripts that were used for development or upgrading and then never removed when done.

10. Backup your files and databases regularly and download the backups to your own computer for safekeeping.

Customers are responsible for their own backups. Since databases change far more often than files do, you should backup just databases more often in MySQL, phpMyAdmin. If you need any help with restoring from your backups, please email support@lunarpages.com. To automate the backup tasks, see this thread from the Lunarforums.com site.

Share |
Want to read this in another language?