Author Topic: Protection agains hackers  (Read 2586 times)

0 Members and 1 Guest are viewing this topic.

  • Sir (...soon) (maybe)
  • Hero Member
  • *****
  • Thank You
  • -Given: 1
  • -Receive: 17
  • Posts: 3541
  • Karma: +97/-27
  • Referrals: 33
    • Visit me
Protection agains hackers
« on: November 10, 2012, 02:50:46 AM »
This was sent to me by the host of my site:
Most of it I don't understand but may be useful for somebody.

Quote
Wordpress General tips:

   1. Use a secure password and change it every 3 months.
      A secure password will be at least 8 characters long, numbers and letters, uppercase and lowercase, no full words, no common character combinations like “pass”, “password”, “12345678”, etc.
   2. Set permissions for all folders on the account to 755 (ignore instructions stating 777 is needed since our servers are setup to use 755 instead).
      Set permissions for all files other than perl or python scripts to 644. You can do this en masse via FTP or you may open a ticket and ask us to do it for you via shell. If we do it, please check permissions on .cgi, .pl, and .py files afterward and change them back to 755.
   3. Register_globals is often abused by hackers and should be set to Off.
      You can check to see if they are enabled on the server by creating a phpinfo.php file under public_html with the following code:
      <?
      phpinfo();
      ?>
      Browse to the file and check if Register_Globals are On. If they are on, you can create a custom php.ini file to set them off.
   4. Disable 'allow_url_fopen' and 'allow_url_include' (PHP5) in php.ini.
      allow_url_fopen = Off
      allow_url_include = Off
      Keep in mind that some scripts may need these so be sure to check your site after but try to run without them if possible since hackers use these often.
   5. Use Index Manager in cPanel to disable the showing of indexes in all folders or manually add the following to .htaccess:
      Options -Indexes
      You can also put a blank index file in any folders with sensitive info to be sure they will stay unlisted.
   6. Prevent the viewing of .htaccess and php.ini. Add the following to .htaccess:

      order allow,deny
      deny from all


      order allow,deny
      deny from all

   7. Add the following to .htaccess to help prevent XSS attacks:
      Options +FollowSymLinks
      RewriteEngine On
      RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
      RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
      RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
      RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
      RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
      RewriteRule ^(.*)$ index_error.php [F,L]
      RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
      RewriteRule .* - [F]
      Then create an index_error.php file to tell the bad boys whatever you want and upload the file under the same folder as .htaccess. Refer to http://addons.oscommerce.com/info/6044 for more info.
   8. Do NOT use your control panel login as your database username and password.
      Create a new user for each database and add it to the database. Be sure to use a secure password. While on this subject, do not add % as an access host unless you really need to access the database remotely. You can add it long enough to do what you may need to do and then delete it if not needed all the time.
   9. Keep ALL scripts on the account up to date to the latest versions.
      If you do not use a script, delete it. Be sure to check your account now and then for unused scripts and delete them after being sure you have a backup in case you change your mind. We often find folders with old copies of scripts that were used for development or upgrading and then never removed when done.
  10. Backup your files and databases regularly and download the backups to your own computer for safekeeping.

Wordpress tips:

   1. If installing manually, change the default DB table prefix (wp-) when asked. If installing via Fantastico or Softaculous, you can change the table prefix afterward with the wp-security-scan plugin. http://WordPress.org/extend/plugins/wp-security-scan/ Changing the prefix to something else helps to block scripted attacks which will be looking for the default.
   2. Follow all the security measures at http://wpsecure.org/ . It is loaded with excellent plugins and other ideas to secure your install.
   3. Keep WordPress and all plugins up to date. Just one old unsecure plugin can create a huge security hole. Both WordPress and most plugins can be auto-updated in Admin now.
   4. If you enable comments, be sure to set them to be moderated. You should also install the ReCaptcha plugin to help stop bots from submitting comments. http://recaptcha.net/plugins/wordpress/ You definitely want to install the Askimet plugin or WP-SpamFree as well to help stop spam. http://wordpress.org/extend/plugins/akismet/ or http://wordpress.org/extend/plugins/wp-spamfree/
   5. Change the default security keys in wp-config.php (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY). You can generate new secure keys easily at https://api.WordPress.org/secret-key/1.1/
   6. Add the WordPress Stats plugin both for help with SEO and to monitor unusual activity. http://WordPress.org/extend/plugins/stats/
   7. While external post writers such as Microsoft Live Writer make it easy to create posts on your own computer and then send them to your blog, they use xmlrpc.php which is quite often exploited and if you check your access logs you will probably see quite a few requests looking for that file. It is best to disable outside posting. If you just must use external writers, change the name of xmlrpc.php to something obscure and then set your external program to look for the new filename to use. In Live Writer, you must enter the URL for posting with the new filename when first setting up the blog in it.
   8. To be safe you should make backups of your database and site files as it saves a lot of time & effort cleaning up after an attack and customers are responsible for their own files and keeping backups. Create new backups of files and database after making any site changes like upgrading to a new version, adding a plugin, or creating a truly brilliant post. Backup the database as often as necessary depending on the activity in your blog. The database is the one truly irreplaceable item and the one that changes most often. You can add a very nice DB backup plugin from http://ilfilosofo.com/blog/wp-db-backup/ and manually backup the database. You can automate DB backups via a script and cron job.
   9. While not related to hacking or spamming, another major security issue for blogs is content theft (copyright violations). This should be just as much of a concern whether your blog is about your family or business. Please see http://www.lostartofblogging.com/protect-your-blog-and-counter-copyright-thefts , http://creativecommons.org/choose/ , and http://www.codetrax.org/projects/wp-cc-configurator/files. Another good possibility is https://myfreecopyright.com/






  • Member
  • *
  • Thank You
  • -Given: 0
  • -Receive: 0
  • Posts: 13
  • Karma: +1/-0
  • Referrals: 0
Re: Protection agains hackers
« Reply #1 on: November 13, 2012, 09:51:20 PM »
thanks i appreciate u try to help ur members out

 

advertise here