Basic Tips for Securing Your Website
by Warren
(NY)
Protecting Directories With Passwords
The first thing that you want to think about is your directory and the information on your server. This information should be private and you never want to worry about people guessing the directory name. Why, once they do, they are basically in. It is a good idea to try to protect the folder with a password at the server level.
Let’s take a look at how we would password protect an Apache server directory.
I am sure that you have heard of an .htaccess file. The server processes configuration commands using the .htaccess command in your site’s directory. Any command found in your access file affects both that folder and any sub folder. The exception would be if a sub folder has its own .htaccess file. In order to protect folders, the Apache server utilizes an .htpasswd. This file is used to store an encrypted list of users and passwords for which access is granted. Be sure to check with your website’s host in order to determine what’s the best way to access and or secure your directory
Website Fraud Loss Prevention eBook
Directory Listing – Turn Off
Directories which are not associated with a homepage file (index.php, index.htm, default.htm) will instead display a complete listing of the files available. I doubt that you want anyone to see everything that is here. The easiest way to avoid this is by creating a blank index.htm file. Just add it to the folder in question. Should you need another option, you could disable the directory listing using the .htacess file. This can be accomplished simply by including the following line, "Options -Indexes", in your file.
Remove Installation Files
If you have recently installed software on your site there is a good chance that the upgrade scripts are still on the server. You want to remove these scripts. Anyone familiar with your software could potentially re–run your scripts. Your entire database would be reset causing a huge problem. Just remember to remove all upgrade files/scripts after your installations are complete.
Security Updates
If you run a security software packages on your site make sure that it is up to date.
Reduce All Website Error Reporting Levels
You may not be aware but some errors, especially those generated by PHP, are printed to your browser. The information printed usually contains directory paths. This is the problem. To avoid this issue, simply reduce your site’s error reporting levels. This can be accomplished by updating your php.ini file. You can also change error reporting levels via the error_reporting function in php.
Securing Submission Forms
Forms can be a potential crack in the armor. Forms are usually submitted to a script on your server. If your form does not offer any protection you may be subjected to unwanted access. For example, let’s suppose that you have a field labeled “Address”. Pretty common I would say however, it does not mean that people have to enter an address in that field. If not coded properly, someone could enter a script or SQL code. The following are a few things that you could do.
For all form input fields, make sure that the maximum length HTML attribute is used. The above should help some what but for hackers you would have to protect against script level information overrun also.
Make sure that you incorporate form validation. You want to make sure that the input submitted via your form is validated by script. Fields that is received via your form should contain data that is expected. Data should be checked to make sure that is it of the proper format and length.
By checking your data type (strings, numbers, etc.) and form validation, you should be able to avoid most SQL injection (someone inserting script or anything other than what is expected in to your form in order to manipulate it).
Although extremely important, website security is beyond the scope of any one article. The above should however give some basics and a few things to think about. Make plans to review your website’s overall security soon.
