9 Ways to Secure Your Installation of iAuto, iRealty and iLister Scripts
Almost any web-based software can endanger your server. Hackers can seize your administrator account details to access Admin Panel and wreck chaos to your website.
If you are starting a new script installation, you should take several steps to increase security of your website and server from the very beginning.
1. Use Strong MySQL Database Names
Strong database IDs and passwords are very important. You should not name your database “iauto” or “ilister”. Avoid assigning database user certain common account names such as “user” or passwords such as “password.”
Choosing your password is essential. For guidelines, please read the following article called The 13 Most Common Gawker Passwords Exposed. Do not forget the rule of not using common words such as “love”, “God”, “sex” and “secret” as your password.
Most likely, you will configure you database settings only once and will not use them every day, therefore, you need to generate a complex and difficult-to-guess password to make perpetrators’ jobs much more difficult.
In case you forget your password, you can find them in the database details section of the configuration files called LocalSettings.php located in the following locations:
\application\apps\frontEnd\config
\application\apps\adminPanel\config
Finally, remember to backup your database regularly. You can automate the backup process. In order to do so, please ask your server administrator or hosting ISP’s help desk to assist you.
2. Fine-Tune Permissions for MySQL
To improve security further, you can use two different MySQL users, one for the Admin Panel back-end area, and another, for the front-end area.
The Admin Panel user shall have ALL permissions.
The front-end user should have only the following permissions: ‘read’ permissions for all db tables and data modification permissions (insert, update, and delete) for the following tables:
| contract_packages | contracts | credit_packages | credit_transactions |
|---|---|---|---|
| listing_comments | listing_field_calendar | listing_field_list | listing_field_rating |
| listing_field_tree | listing_fields | listing_packages | listings |
| listings_pictures | payments | rating | saved_listings |
| saved_searches | uploaded_files | user_balance | user_sessions |
| user_settings | users | users_notifications |
Having configured the above, please set the corresponding back-end and front-end database usernames and passwords in the LocalSettings.php files for both the back-end and the front-end.
3. Choose a Custom Username for the Admin Account
Many people choose “admin” as their username for the admin account but this is terribly wrong. If hackers plan to crack your website’s admin account, they would need to find the right admin account username and the password, and, on top of that, to combine both together. When they already know that your username is “admin”, that means that you made their job twice as easy.
4. Move the Admin Panel to a Different URL
require_once('admin/lang/'. $app->getSetting('LOCALE') .'.php'); with
- Rename the “admin” folder in the root of the installation (let us assume you renamed it to “a-d-m-i-n”).
- Open the index.php file and replace
- require_once(' a-d-m-i-n/lang/'. $app->getSetting('LOCALE') .'.php');
- Then go to the front-end’s LocalSettings.php and change the ADMIN_SITE_URL to the one that ends with “a-d-m-i-n” instead of “admin” (no trailing slash!)
- Open the Admin Panel’s LocalSetting.php and correct the URL accordingly.
- Request a new license for the Admin back-end only from our Sales Department
5. Change Template File Permissions to Read-Only/Non-Writable
In order to lock the template files located under /application/apps/frontEnd/templates (files determining your website’s look and feel), please change their permissions to 644 and set the permissions of their folders to 755.
6. Move System Cache to a Different Folder
By default, the cache directory is located within the /system folder, which is potentially accessible via the Apache http server. You can move this folder to a different location in order to limit access to the cache directory to software itself only.
To do that, open both LocaSettings.php for the Admin Panel and the Front End, and add the following setting (can be copied from the DefaultSettings.php):
| 'CACHE_DIR' =>'/path/to/a/different/cache/dir, |
Please make sure that the Apache http server has permissions to write to the new cache directory.
7. Restrict Access to the Admin Panel to Your IP Address
Create an .htaccess file at /application/apps/adminPanel with the following code:
| order deny, allow allow from 1.2.3.123 # your IP allow from 1.2.3.234 # the IP of your site administrator deny from all |
Having done that, you will limit the ability of hackers to access your admin area even if they managed to acquire your admin username and password. Even you will be able to access your admin area from that IP address only. Please keep in mind that you need to have a static IP address to use this method of securing your website.
8. Update Your Software Copy Regularly
Updates issued by Worksforweb come not only with new cool features and exiting enhancements, but also, not too often though, with security fixes.
To protect those who have not or will not upgrade, you will not see any mention of these security fixes in the official release announcement. However, it is better to upgrade and receive all those nice and useful features along with the security advantages of the new version than to leave your website with potential security vulnerability. This is a very rare case, but it should not be disregarded completely.
9. What Should I Do if My Website Was Broken Into?
Stuff happens, and most of the time it happens due to the actions of Trojan horse viruses that may have stolen your website access passwords or Cpanel account credentials. In case this happened, please follow the steps below:
- Change all passwords of your website, you server and hosting account, including accounts in the following services: FTP, cPanel, SSH, email, and so on.
- If the website is damages/meddled with, then restore your database and the files from the most recent backup.
- If you do not have any backup, check all the content pages and templates for any suspicious PHP code, unexpected content, strange-looking strings of characters in templates.
- Delete all the files which have nothing to do with your software installation from your website (be careful).
- If nothing from the above measures helped you, you will need to carry out a fresh installation.
We hope you found these pieces of advice helpful to secure and protect your website from harm.
Author: Lena K., Head of Support Department,
WorksForWeb
Share this:
More articles:
- Using FTP Client to Modify Your Website
- How to Formulate Customization Requests
- The Art of Monetizing Your Website
WorksForWeb software portfolio:
WorksForWeb software features:
- iLister Script Features
- iAuto Script Features
- iRealty Script Features
- iLister-Pets Script Features
- iAuto-Bikes Script Features
- iLister-Machinery Script Features
What People Say about us
"Works perfect! Thank you. Must to say that you have a good service and support at your company. Good works."
Mohamed Elsayed
We recently switched from iAutoBikes to iLister once we saw the new BlueTabs theme. This not only gave us a great new look, but added better functionality as well.
The process should of taken more than two weeks but the Customization team that handled my project put extra people to work and got it done in 3 days!
We were able to show off our website at a huge Surfing Expo and received nothing but positive comments about the website.
Nick Gullman
"Thank you for providing a great software package that allows the business owners to actually manage and work with your software for their business. Many thanks."
Marjorie Lord