Secure the web/FTP server

The web server software configuration is largely managed by your web host. They are the ones responsible for the “general” securing of the web server. However, that does not mean (at all), that your system, whose interface is output by the webserver, is automatically secure. That is why you need to take extra steps to secure your system, using what the web server has to offer. Some of these may seem childishly obvious or simplistic. Regardless, just make sure you have it covered.

Web/FTP server

  • prevent server from outputing too much information on errors (such as server version), customize the error pages if needed
  • where possible use secure FTP to upload/download your scripts

Web/FTP server: administrator setup

  • never use “admin”, “root”, or other easily guessable names for your cpanel (or other) and main FTP account
  • always choose a strong administrator password
  • do not store web/FTP server administrator credentials anywhere on the server, or on paper, in plain view of others
  • never give away administrator credentials

File system access

  • never allow directory indexes, unless it’s part of the intended functionality of your system; put Options -Indexes in your .htaccess file(s), or have an index.html in each directory, to achieve this
  • forbid web access for all directories and files that do not need to be accessed from the web, i.e. the directory holding your “core” scripts, containing code that doesn’t actually output anything; achieve this by placing Deny from All in the directory’s .htaccess file
  • deny write access to all files, and grant reading rights only to your scripts for sensitive files that are not supposed to be read from the web, using CHMOD
Be the first to rate this article:

Loading...

Leave a Reply

Your email address will not be published. Required fields are marked *

Allowed HTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Subscribe to article comments   Subscribe to all comments