6 tips for securing your website
Most people online are good and honest people. However, some people browse the Internet and draw pleasure from navigating websites and finding security gaps. Some simple tips can help you secure your website in basic ways. Now, it is clear that the topic of data security is complex and goes beyond the scope of this column. However, I will address the basics one must do that will alleviate many potential problems that may allow people to see things they shouldn't do.
Password protection guides
If you have proof of your server which should remain private, don't rely on people not guessing the name of the guide. Password better protects the folder at the server level. More than 50% of existing websites are powered by the Apache server, so let's take a look at how password protection for a guide to Apache.
Apache takes configuration orders via a file called .htaccess which is found in the directory. Commands in .htaccess have an effect on this folder and any subfolder unless a particular subfolder has its own file. To protect the folder with a password, Apache also uses a file called .htpasswd. This file contains the names and passwords of users who have been granted access. Password is encrypted, so you should use htpasswd to create passwords. To access it, go to the command line in your server and type htpasswd. If you receive a "non-existent" error, you need to contact your system management. Also, keep in mind that many web hosts provide web-based methods to secure a directory, so they may have things set up for you to do this way rather than on your own. Except for this, let's continue.
Type "htpasswd -c. htpasswd my username "where" my username "is the username you want. You will then be asked for a password. Make sure that the file will be created. You can check this again via FTP. Also, if the file is inside your web folder, you should move it so that it is not accessible to the public. Now, open or create your access file. Inside, include the following:
AuthUserFile /home/www/passwd/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure Folder"
AuthType Basic
Require user valid
In the first line, adjust the route of the guide to wherever your file is. Once you set this up, you'll get a pop-up dialogue when you visit this folder on your website. You will be asked to log in to view it.
Turn off guide lists
By default, any guide to your website that does not have a recognized reception page file (index.htm, index.php, default.htm, etc.) will instead display a list of all the files in this folder. You may not want people to see everything you have out there. The simplest way to protect against this is simply to create an empty file, call it index.htm and then upload it to this folder. Your second option is, again, to use the .htaccess file to disable the guide list. To do this, include the line "options indexes" in the file. Now, users will get 403 errors instead of the file list.
Delete installation files
If you install software and texts on your website, they come many times with installation and/or text upgrade. Leaving it on your server opens up a huge security problem because if someone else is familiar with this software, they can find and run installation/upgrade texts and thus reset your entire database, configuration files, etc. A well-written software package will warn you not to remove these elements before you are allowed to use the software. However, be sure to do so. Just delete the files from your server.
Keep up with security updates
Those who manage software packages on their website need to stay connected to security updates and alerts related to this software. Not doing so can leave you wide open to hackers. In fact, a blatant security hole is detected and reported many times and there is a delay before the creator can issue a correction. Anyone that leans this far can find your site that runs the software and exploit the vulnerability if you don't upgrade. I've burned myself down because of this a few times, where whole forums have been destroyed and I've had to regain support. This is happening.
Reduce the level of error reporting
Talk mainly about PHP here because that's what I work in, the errors and warnings generated by PHP are printed, by default, with full information to your browser. The problem is that these errors usually contain complete guide tracks for the respective texts. It gives a lot of information. To mitigate this, reduce the level of error reporting in PHP. You can do it in two ways. The first is to adjust your php.ini file. This is the main configuration of PHP on your server. Find error_reporting display_errors and directives. However, if you do not have access to this file (many in shared hosting do not), you can also reduce the error reporting level using the error_reporting function () PHP. Include this in a global file of your texts in this way that will work in all areas.
Secure your models
Models open a wide slot for your server to hackers if you don't program them correctly. Since these forms are usually sent to some text on your server, sometimes with access to your database, a form that does not provide some protection can provide the hacker with direct access to all kinds of things. mind you... Just because you have an address area that reads "Address" in front of it doesn't mean you can trust people to enter their address in this area. Imagine that your form is not properly encrypted and the text it offers is not. What prevents the hacker from entering an SQL query or programming code in this title area? With that in mind, here are some things to do and look for:
Use MaxLength. Input fields in shape can be used as a max length feature in HTML to reduce input length on models. Use this to prevent people from entering lots of WAY data. This will stop most people. The hacker can bypass it, so you should protect against forgetting information at the next level too.
Hide emails if you use a form-to-email script, do not include the email address in the form itself. It defeats the point and spiders can still find your email address.
Use the validation of the form. I will not enter into a lesson on programming here, but any text the form provides must validate the inputs received. Ensure that the fields received are the fields expected. Ensure that the incoming data is of reasonable and predictable length and appropriate form (in case of emails, phones, mailings, etc.).
Avoid SQL injection. A full lesson about SQL injections can be reserved for another article, but the basics are that it is allowed to enter the form directly into the SQL query without validating, thereby giving the hacker the ability to execute SQL queries via your web form. To avoid this, always check the type of data received (numbers, strings, etc.), run adequate form verification at the top, and write queries in such a way that the hacker cannot enter anything into the form making the query do something other than what you intend.
CONCLUSION
Website security is a somewhat embedded topic and gets a lot more technology than this. However, I've given you a basic introductory book about some of the easiest things you can do on your website to mitigate the majority of threats on your website.