ewiget
Admin
Admin
| Posts: 171 |  |
Karma: 2
|
Recommended Steps to Secure PHP Installations - 2006/07/05 14:02
We often get asked about how secure our servers are. The servers themselves are secured by various means, but often a customer installs something, such as a content management system, or other types of php/cgi scripts that may not be too secure with a default installation. For that reason, we have created these simple extra steps to help you further secure your installations.
If you are installing a content management system (drupal, mambo, joomla, phpnuke, typo3, etc), or any type of file that has connection strings to a database, you should move that file out of the root folder for your web site. In this example, we will be using a phpnuke example. The phpnuke configuration file is called config.php This file holds sensitive information such as the database username, database password, and database name to connect to. It is called every single time there is a visitor to your web page. Because it is a php file, the file should not normally be able to be read by visitors, due to the fact that it is processed by the server. Without going into specific details, this may not always be the case and it is very easy to move the file outside of the web root just in case.
Move the config.php file to another directory
To move the file which is usually located in /public_html/config.php you simply move it outside of the public_html folder into the root folder of your choice. You then create a config.php which contains an include directive to the location of the config.php file. Here is an example with the config.php file located in the root folder called secret:
| Code: |
<?php
if (stristr($_SERVER['SCRIPT_NAME'], "config.php"«»)) {
Header("Location: index.php"«»);
die();}
@include("../secret/config.php"«»);
?>
|
Setting Up Password Protected Directories
Another step to further secure a cms or other type of php installation is to password protect the administration folder. Again, using phpnuke as an example, the folder would normally be located in /public_html/admin To secure this folder you would need to log into cpanel. Click pn the "Password Protect Directories" button. Navigate to the directory you want to protect with a password. Select a folder by clicking on the folder name link, or open a folder by clicking on the folder icon. Click on the tick box next to the Lock icon for the folder you want to protect, admin in this case. Enter the name that you want to appear in the Protected Resource Name field. This is optional and purely for the user's benefit and is useful if you have more than one protected directory. Click on the Save button. Generally, you now need to add at least one authorized user to enable access to the directory.
You can control who can access protected directories by adding authorized users. Generally, at least one authorized user needs to be added, otherwise no-one will not be able to view the directory.
To add or modify an authorized user:
Click on the Password protect directories button on the home page.
Navigate to the required directory. Select a folder by clicking on the folder name link. Open a folder by clicking on the folder icon.
Enter the user's name in the Username field, and their password in the Password field.
Click on the Add New User button.
Ed Wiget
Technical Support
http://www.xtremewebhosts.com |
