When building a website where users will be going through registration process, make sure the principle of least privilege is used
(PRWEB) December 30, 2011
Stanislav Kaliyev, founder of WebsiteHowtoMake.com video tutorials, shares his tips for building a safe and secure website.
Any webmaster wants to have a safe and secure website. How to reach this goal? In our modern world when most security vulnerabilities have already been fixed on the programming language core level, database engine, and web server software levels, hacker attacks are still taking place. Many beginner webmasters wonder if there is a way to prevent them. So is it possible to build a safe and highly secure website? There are several ways.
1. First of all, use complex passwords to log in to cPanel, FTP, MySQL and especially for email accounts. Complex passwords (consisting of 12-16 lower-case and capital letters, numbers and special symbols) are very effective, because they are almost impossible to hack using Bruteforce attack. Moreover, it is not recommended to log in to administrative sections of your website from public places. At home it’s better to use Incognito or Private Browsing modes of a browser to log in to website administrative sections.
2. Secondly, use only reliable software. Of course, no software can be perfect, therefore choose the most popular one. Joomla CMS falls into this category as it is constantly being hacked and tickled by the best IT pros from around the world, thus patches for security vulnerabilities are released in time, and most of them have been long fixed on the core level. Websitehowtomake.com’s founder, Stan, highly recommends subscribing to Joomla Security News so that necessary updates are received.
3. Use a reliable hosting company, one that provides efficient technical support, timely web server software updates, and many other benefits. Voltage drops or blackouts can cause a business to go offline for several hours or sometimes for days.
4. After making changes to the file structure of the website and major data modifications it is recommended to create a backup copy. In fact, backing up is recommended as a weekly procedure.
5. To protect your website from malicious code attacks, some settings in php configuration need to be modified: open php.ini file and add the following lines:
register_globals = Off
safe_mode = Off
allow_url_fopen = Off
allow_url_include = Off
disable_functions = show_source, system, passthru, shell_exec, exec, phpinfo, popen, proc_open
6. The whole Administrator directory should be protected by a password on htaccess level. Moreover, access to this directory can be limited from certain IP addresses for higher security. Contact ISP (Internet Service Provider) to find out whether static or dynamic IP address is given. In second case ask provider for DHCP reservation. IP address limitation guarantees that accessibility to administrative sections of a website is possible only from owner’s computer.
7. Ensure workstation is protected! OS should be set for automatic updates, it is also necessary to install a good antivirus software and firewall.
8. Joomla is known for having over 8500 extensions for building dynamic and modern websites, online stores, catalogues, informational portals, Internet communities, advertising agencies, consultation centers, etc. However, remember that these extensions are mostly created by third party programmers, thus there’s no guarantee they are reliable. There is a very good resource where vulnerable extensions are listed: http://docs.joomla.org/Vulnerable_Extensions_List.
9. When building a website where users will be going through registration process, make sure the principle of least privilege is used. This procedure is referred to Chapter 7 of Website How to Make curriculum.
10. It’s highly recommend to install RSFirewall! extension. It is a commercial extension, but it’s worth the money.
Few benefits that RSFirewall! provides:
- Offers a powerful protection service
- The website will be always protected against the newest threats
- The Active scanner will track and block any intrusion attempt such as SQL injection
- Webmasters won't have to worry about security leaks once they set the website in Lock-down mode
- Don't worry about 3rd Party extensions vulnerability. RSFirewall! protects entire Joomla! website
- Allows to scan and fix vulnerabilities (no expert knowledge needed).
- Actively scans Joomla! sensitive file and denies hacker attempts to change them.
- Filters any request, such as POST, GET, etc. and blocks SQL injection attempts
- Notifies webmaster by e-mail or even by SMS when a certain level of Alert is generated
- Always keeps webmasters informed about the latest security updates
Single site owners click here to get RSFirewall! full year subscription. Multi site owners click here...
Don’t waste time, and go through this checklist to make sure that a website is secured! Good luck!