.: 6 Tips To Secure Your Website
By:David Risley
Category:Home / Computers / Security / Web Site
Most people on the internet are good, honest people. However, there are some people browsing the internet who derive fun from poking around websites and finding security holes. A few simple tips can help you secure your website in the basic ways. Now, obviously, the subject of data security is a complicated one and way beyond the scope of this column. However, I will address the very basics one should do which will alleviate many potential problems that might allow people to see things they shouldn't.
Password Protecting Directories
If you have a directory on your server which should remain private, do not depend on people to not guess the name of the directory. It is better to password protect the folder at the server level. Over 50% of websites out there are powered by Apache server, so let's look at how to password protect a directory on Apache.
Apache takes configuration commands via a file called .htaccess which sits in the directory. The commands in .htaccess have effect on that folder and any sub-folder, unless a particular sub-folder has its own .htaccess file within. To password protect a folder, Apache also uses a file called .htpasswd . This file contains the names and passwords of users granted access. The password is encrypted, so you must use the htpasswd program to create the passwords. To access it, go to the command line of your server and type htpasswd. If you receive a "command not found" error then you need to contact your system admin. Also, bear in mind that many web hosts provide web-based ways to secure a directory, so they may have things set up for you to do it that way rather than on your own. Barring this, let's continue.
Type "htpasswd -c .htpasswd myusername" where "myusername" is the username you want. You will then be asked for a password. Confirm it and the file will be created. You can double check this via FTP. Also, if the file is inside your web folder, you should move it so that it is not accessible to the public. Now, open or create your .htaccess file. Inside, include the following:
AuthUserFile /home/www/passwd/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure Folder"
AuthType Basic
require valid-user
On the first line, adjust the directory path to wherever your .htpasswd file is. Once this is set up, you will get a popup dialog when visiting that folder on your website. You will be required to log in to view it.
Turn Off Directory Listings
By default, any directory on your website which does not have a recognized homepage file (index.htm, index.php, default.htm, etc.) is going to instead display a listing of all the files in that folder. You might not want people to see everything you have on there. The simplest way to protect against this is to simply create a blank file, name it index.htm and then upload it to that folder. Your second option is to, again, use the .htaccess file to disable directory listing. To do so, just include the line "Options -Indexes" in the file. Now, users will get a 403 error rather than a list of files.
Remove Install Files
If you install software and scripts to your website, many times they come with installation and/or upgrade scripts. Leaving these on your server opens up a huge security problem because if somebody else is familiar with that software, they can find and run your install/upgrade scripts and thus reset your entire database, config files, etc. A well written software package will warn you to remove these items before allowing you to use the software. However, make sure this has been done. Just delete the files from your server.
Keep Up with Security Updates
Those who run software packages on their website need to keep in touch with updates and security alerts relating to that software. Not doing so can leave you wide open to hackers. In fact, many times a glaring security hole is discovered and reported and there is a lag before the creator of the software can release a patch for it. Anybody so inclined can find your site running the software and exploit the vulnerability if you do not upgrade. I myself have been burned by this a few times, having whole forums get destroyed and having to restore from backup. It happens.
Reduce Your Error Reporting Level
Speaking mainly for PHP here because that's what I work in, errors and warnings generated by PHP are, by default, printed with full information to your browser. The problem is that these errors usually contain full directory paths to the scripts in question. It gives away too much information. To alleviate this, reduce the error reporting level of PHP. You can do this in two ways. One is to adjust your php.ini file. This is the main configuration for PHP on your server. Look for the error_reporting and display_errors directives. However, if you do not have access to this file (many on shared hosting do not), you can also reduce the error reporting level using the error_reporting() function of PHP. Include this in a global file of your scripts that way it will work across the board.
Secure Your Forms
Forms open up a wide hole to your server for hackers if you do not properly code them. Since these forms are usually submitted to some script on your server, sometimes with access to your database, a form which does not provide some protection can offer a hacker direct access to all kinds of things. Keep in mind...just because you have an address field and it says "Address" in front of it does not mean you can trust people to enter their address in that field. Imagine your form is not properly coded and the script it submits to is not either. What's to stop a hacker from entering an SQL query or scripting code into that address field? With that in mind, here are a few things to do and look for:
Use MaxLength. Input fields in form can use the maxlength attribute in the HTML to limit the length of input on forms. Use this to keep people from entering WAY too much data. This will stop most people. A hacker can bypass it, so you must protect against information overrun at the script level as well.
Hide Emails If using a form-to-mail script, do not include the email address into the form itself. It defeats the point and spam spiders can still find your email address.
Use Form Validation. I won't get into a lesson on programming here, but any script which a form submits to should validate the input received. Ensure that the fields received are the fields expected. Check that the incoming data is of reasonable and expected length and of the proper format (in the case of emails, phones, zips, etc.).
Avoid SQL Injection. A full lesson on SQL injection can be reserved for another article, however the basics is that form input is allowed to be inserted directly into an SQL query without validation and, thus, giving a hacker the ability to execute SQL queries via your web form. To avoid this, always check the data type of incoming data (numbers, strings, etc.), run adequate form validation per above, and write queries in such a way that a hacker cannot insert anything into the form which would make the query do something other than you intend.
Conclusion
Website security is a rather involved subject and it get a LOT more technical than this. However, I have given you a basic primer on some of the easier things you can do on your website to alleviate the majority of threats to your website.
Article keywords: security, website, secure, hacker
Article Source: http://www.articles32.com
David Risley is a web developer and founder of PC Media, Inc. (www.pcmedianet.com). Specializes in PHP/MySQL development, consulting and internet business management. He is also the founder of PC Mechanic (www.pcmech.com), a large website delivering do-it-yourself computer information to thousands of users every day.
.: New Web Site Articles
1). How To Use Spyware Elimination Software
Spyware elimination software is designed to detect and
eliminate spyware. A large number of spyware elimination software products are available. Some of them are available as freeware and some as shareware. Shareware can be used for a specified period, usually 30 days.
2). Spyware and Adware: New Threats to Your Computer
So you think you have a anti virus an anti spyware, on your computer and you computer and business is safe this is the misconception most people have because there are some really deadly spyware and adware waiting to seriously affect your
3). How Spyware Blaster Can Protect Your Computer From Harm
By browsing a web page, you could infect your computer with spy ware, ad ware, dialers and hijackers.
4). Adware Removal Thats Free, Avoid The Pitfalls
Removal programs can sometimes seem hard to find. You click on a link that promise really free adware removal programs, but end up on a site with programs that eventually turn out to have a lot of strings attached. You might only be able to try out the really free adware removal program for a very short time, such as a few days, before you must purchase an expensive version of the program.
5). Spyware - Is Your Computer Safe?
Spyware is the virtual plague of the new Millenium. You no longer have to receive emails with viruses in them or even click on dangerous links on websites.
6). Stalker Case Study 4: Suicide Can Be Profitable
This is a real life case study that shows how dangerous is really is out there. What are you doing to get yourself and your family safe online?
7). Safely Surfing the Internet and staying free from Spyware.
In addition to installing anti-spyware software, be careful of the websites that are surfed on your computer.
.: Top Web Site Articles
1). Signs That Your Home Computer Is Infected by Spyware or Adware
There are a number of indicators you can watch for which will suggest that your computer has been infected by spyware or adware. Please note that some of the symptoms listed below are not unique to just a spyware or an adware infection.
1) PC Performance – Both Spyware and adware consume your PC’s resource like computer memory. A bad spyware infection could dramatically slow your computer’s performance including causing your system’s to become increasingly unstable.
2). Ten Steps to Reduce Your Risk of Identity Theft
You've probably heard about identity theft on television or read about it in the newspaper, and you may already be aware of the damage these crimes can cause victims and their families. What you may not know is how to protect yourself from these attacks. Below you'll find ten steps that can help you minimize your chances of becoming another identity theft statistic.
3). 9 Warning Signs You Might Be Infected With Spyware And/Or Adware
It was recently reported that there are over 350,000 websites worldwide that help proliferate spyware and adware. Here are 9 signs that you might have become a victim.
4). Protect Yourself with Spy Bug Detectors
If you are involved in surveillance on other people, chances are that there are other people involved in surveillance on you. In order to detect when others may be listening in on you, it is a good idea to keep one or two different types of spy bug detectors. Because there are plenty of different bugs out there, and because they make use of a variety of different technologies, it is important to have at least two different types of spy bug detectors in order to sweep for multiple types of listening devices.
5). A Basic Guide To Internet Security
The internet is a wonderful place; many of us use it on a regular basis for a multitude of functions. Email helps us to keep in touch with family, and friends all over the world and most people have at least one email account. The growing use of digital cameras and camera phones means that we can send pictures at the click of a mouse. MP3 players have become increasingly popular, and we can download songs to play on them with extreme ease.
6). Security Management - Software and hardware to keep your investment secure.
Security management is essential to any company. There are many different aspects of security management including Computer Network security, Entry Identification and Logging system and Fire Detection and Prevention.
Companies are increasingly using programmed magnetic or chipped Identity Cards for employees that allow access only to specific parts of the site.
7). Businesses Face Spyware Threats on a Day to Day basis.
Businesses are banning accress to certain websites in order to gain some control over spyware from downloading on their network.