Last week we worked on Geotagging our site so that local people will be able to find our site easier. This week we will look at a quick method to secure your folders from hackers trying to gain access or deface your sites. Anyone that is using open source software should know they are at greater risk of being exploited by hackers and should be security conscious when using that software.
If you have a folder, like your images folder, whereÂ you do not want someone to browse it you can add a blank index.html page into that folder. This will prevent anyone from viewing the contents of that folder. The problem with this method is that in open source software it is very easy to find the files because they are all stored in the same location. Adding a index.html file to your folder will prevent basic nosey people from browsing folders they should not be browsing. For exampleÂ with WordPress I can go in an see what plugins you have installed by going to www.yourblogurl.com/wp-content/plugins/.
A lot of open based software requires you to set folders to a permission of 777. This means that those file and folders are read and writable to anyone.Â The result is thatÂ someone could maliciously use your site for phishing or spammingÂ by uploading their own files inÂ to the insecureÂ folder.
For some software’s they only require the folder or file to be set to 777 for the initial setup to write configuration information. For example WordPress wants you to set your theme files to writable so you can directly modify them from your admin area. This is a great feature but I would suggest once you are done editing them that you set the folder and file permission back to what they were originally.
From time to time you will need to have folders set to 777 so you can upload images. You can secure these folders from certain files being browsed inÂ those foldersÂ by creating a .htaccess file and adding the following to it…
Â Order Allow,Deny
Â Deny from all
You can add other file types to the end if your server supports them like ASP would be |asp.
There are certain folders in most open source software that hackers will look for exploits. Folders like an include folder are usually hit hard on sites. We do haveÂ mod_security installed on our own servers to block a majority of the well known exploits. To be more secure you can add your own layer of security by adding a .htaccess to your own include folders to prevent browsing of those folders completely. Add the following to the .htaccess…
<limit GET POST PUT>
denyÂ from all
This will prevent anyone from viewing that folder at all. Some times the include is in an admin area where you or several others only need to see it. You can secure it the same way but add an allow based on your IP. Again create a .htaccess file, find your IP address and add the following…
<limit GET POST PUT>
allowÂ from 126.96.36.199
deny from all
You may need to tweak or combine these various methods to ensure the best security for your folders.
If you get stuck let me know in the comments.