Almost any web-based software can endanger your server. Hackers can seize your administrator account details to access Admin Panel and wreck chaos to your website.
If you are starting a new script installation, you should take several steps to increase security of your website and server from the very beginning.
Strong database IDs and passwords are very important. You should not name your database “iauto” or “ilister”. Avoid assigning database user certain common account names such as “user” or passwords such as “password.”
Choosing your password is essential. For guidelines, please read the following article called The 13 Most Common Gawker Passwords Exposed. Do not forget the rule of not using common words such as “love”, “God”, “sex” and “secret” as your password.
Most likely, you will configure you database settings only once and will not use them every day, therefore, you need to generate a complex and difficult-to-guess password to make perpetrators’ jobs much more difficult.
In case you forget your password, you can find them in the database details section of the configuration files called LocalSettings.php located in the following locations:
Finally, remember to backup your database regularly. You can automate the backup process. In order to do so, please ask your server administrator or hosting ISP’s help desk to assist you.
To improve security further, you can use two different MySQL users, one for the Admin Panel back-end area, and another, for the front-end area.
The Admin Panel user shall have ALL permissions.
The front-end user should have only the following permissions: ‘read’ permissions for all db tables and data modification permissions (insert, update, and delete) for the following tables:
Having configured the above, please set the corresponding back-end and front-end database usernames and passwords in the LocalSettings.php files for both the back-end and the front-end.
Many people choose “admin” as their username for the admin account but this is terribly wrong. If hackers plan to crack your website’s admin account, they would need to find the right admin account username and the password, and, on top of that, to combine both together. When they already know that your username is “admin”, that means that you made their job twice as easy.
require_once('admin/lang/'. $app->getSetting('LOCALE') .'.php'); with
In order to lock the template files located under /application/apps/frontEnd/templates (files determining your website’s look and feel), please change their permissions to 644 and set the permissions of their folders to 755.
By default, the cache directory is located within the /system folder, which is potentially accessible via the Apache http server. You can move this folder to a different location in order to limit access to the cache directory to software itself only.
To do that, open both LocaSettings.php for the Admin Panel and the Front End, and add the following setting (can be copied from the DefaultSettings.php):
Please make sure that the Apache http server has permissions to write to the new cache directory.
Create an .htaccess file at /application/apps/adminPanel with the following code:
Having done that, you will limit the ability of hackers to access your admin area even if they managed to acquire your admin username and password. Even you will be able to access your admin area from that IP address only. Please keep in mind that you need to have a static IP address to use this method of securing your website.
Updates issued by Worksforweb come not only with new cool features and exiting enhancements, but also, not too often though, with security fixes.
To protect those who have not or will not upgrade, you will not see any mention of these security fixes in the official release announcement. However, it is better to upgrade and receive all those nice and useful features along with the security advantages of the new version than to leave your website with potential security vulnerability. This is a very rare case, but it should not be disregarded completely.
Stuff happens, and most of the time it happens due to the actions of Trojan horse viruses that may have stolen your website access passwords or Cpanel account credentials. In case this happened, please follow the steps below:
We hope you found these pieces of advice helpful to secure and protect your website from harm.
Author: Lena K., Head of Support Department,
WorksForWeb software portfolio:
WorksForWeb software features:
"Thank you very much (for support). That's what I need, I trust products and your services."
"Keep up the excellent work that you perform, as it certainly does not go unnoticed by either myself or any other customer you interface with."
"Just to let you know that I have completed your questionnaire and stated how happy I have been with your service. Thanks again to you and the team. I'll be sure to do more business with you in the future."