Securing a Website - Website Technology Issues forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Securing a Website

Best Way to secure a website

zeekstern

1:34 am on Feb 4, 2009 (gmt 0)

10+ Year Member

Can anyone offer any guidelines on securing a website or point me to a good resource that has this info?

A few of the issues are as follows, but I would like to really secure my sites in any way I can without breaking them.

I've come across sites where I can access their directory and view the contents and would like to prevent that from happening on my site.

Some hosting companies have perms set to 755 while others have 775.

Should a .php or index file ever be executable? It seems to me that they should just be read only, but I don't know how it works with regards to a browser.

I've run across someone selling a script to protect your downloads. I would like to have a download directory, or at least have a setup where I can have various ebooks/pdfs downloadable, but only for the people who buy them. This leads me to believe I can't have one directory with multiple books in them.

Any help or direction is appreciated. I haven't found a Search function on this forum, so obviously I haven't done any leg work before posting:))

Thanks,
Zeek

rocknbil

2:41 am on Feb 4, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Can anyone offer any guidelines on securing a website or point me to a good resource that has this info?

Mmm, lots of ways to go at this, entire books have been written . . . I'll just offer what I know and leave the finer points to real experts . . .

I've come across sites where I can access their directory and view the contents and would like to prevent that from happening on my site.

This is a server configuration, Google for prevent directory browsing.

I would like to have a download directory, or at least have a setup where I can have various ebooks/pdfs downloadable, but only for the people who buy them.

1. Store the files off the public root, that is, if your directory structure is
/domain/public_html

Only the files in public_html are accessible. Create a directory in /domain to store these
/domain/downloadable

2. Write a script to access the files. There are all sorts of security issues to address here (hence my opening comment,) but once you validate the user,

3. Have the script open the file /domain/downloadable/file.pdf

4. While reading in the file, print it out to the browser.

This means no one can bookmark the file or send a URL. They have to be validated first via login.

I haven't found a Search function on this forum

Many moons ago they used to have a piece of code you could paste in your user CP, but it's so simple that's probably why they eliminated it.

In Google,

[searchterm] site:webmasterworld.com

zeekstern

12:22 am on Feb 7, 2009 (gmt 0)

10+ Year Member

Thanks for your help rocknbil. Appreciate it!

Zeek

J_RaD

7:12 pm on Feb 11, 2009 (gmt 0)

use amember ?

wmhelp

8:00 pm on Feb 25, 2009 (gmt 0)

10+ Year Member

[url]use amember ?[/quote]

huh?

particleman

12:56 am on Mar 4, 2009 (gmt 0)

10+ Year Member

It is going to depend on what level of complexity your site is and how deep you want to dig into security. From the sounds of it you are running a shared host, probably some sort of open source CMS (wordpress, joomla etc?) or did you write it? If you are just running html pages only, no server side language or DB, most of your trouble would come from an FTP account hack, so have a strong password on your FTP account.

When you mix in php and a Database you start getting into SQL injection, cross site scripting attacks to name a few. Open source software such as word press, joomla, drupal, whatever, basically what you can do in your power is to always make sure they are up to date, that includes any extensions/plugins you have installed.

Mcafee Site advisor kind of does what you are asking, it is expensive.

Also hit up google... [google.com...]