Secure your hosted web applications like joomla, wordpress etc

While, there is no fool proof solution for security, there are lot of precautions that you could take to keep our website safe & secure.

Usually, I would recommend following for any websites running in any web server.

1. Regularly update/upgrade/patch all PHP(others like aspx, perl etc too) applications like wordpress,joomla etc as and when new patches/updates are available

2. Consider resetting passwords of wordpress administrator,ftp user,cpale user etc regularly

3. Don’t store passwords in your web browser or ftp client as trojan and viruses could snatch these stored passwords

4. Avoid using shared computers in internet cafe. Also, usage of public wifi facility is a security risk while we all love the convenience it offer.

5. Scan you PC with a good antivirus regularly to ensure that your computer is not a home for password snatching trojans

6. Your website may have facilities that allows file uploads for different reasons. For example, you may be allowing users to upload their pics, but a hacker may use this facility to upload a php based file manager(we call it php shell). Now, this “php shell” could be used to crack your website further and the hacker will ultimately screw up your website and he may make attempts to peep into other websites in the same server. So, we recommend to identify all file uploading facilities and remove them as much as possible. If you really want to use file uploading facilities, please lock it down to properly registered users.

Beyond above suggestions, I could give some tips for running websites in our shared/reseller servers.

1. Ensure that php files got 644 permission. You could run following command to fix this.

find ~/public_html/ -type f -name “*\.php” -exec chmod -v 644 {} \;

2. Ensure that all folders except public_html folder got 755 permission. You could run following command to fix this.

find ~/public_html/ -type d -exec chmod -v 755 {} \;

3. Ensure that permission of public_html folder is set to 750. If you have shell access, you can run following command to fix this.

chmod -v 750 ~/public_html

4. Now, we may give a minimum permission of 400 to files containing very critical information like database passwords etc. Well, these files may have different names in different applications.

Following command could give you a broad list of such files which may contain critical information.

find */public_html/ \( -name conf.php -o -name config.php -o -name -o -name configuration.php -o -name configure.php -o -name conn.php -o -name connect.php -o -name connection.php -o -name -o -name database.php -o -name dbconf.php -o -name dbconnect.php -o -name -o -name -o -name -o -name db.php -o -name dbase.php -o -name setting.php -o -name settings.php -o -name setup.php -o -name e107_config.php -o -name wp-config.php \)

You SHOULD NOT change permission of all the files given by above command. Still, you may judiciously change permission of some files.

You may also find application specific security suggestions in internet.



  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: