Security tips to protect your website from hackers

Now a days this is a common issue with the websites is that they are getting hacked or malware affected. Everyday millions of website are getting hacked and blocked by Google. In many cases the hacker or malware add malicious codes in your HTML or PHP files, edit your .htaccess file, add or edit your MySql database, some time even they delete all records from database tables by using truncate table command. Also they uploaded files to web server. How is it possible to upload files, editing database or changing files without knowing the passwords? Yes, this is possible for hackers, because the they are are the best.
The following are few of my findings to stop hacking, but the hackers can say better how to protect them..

Protect through .htaccess file

.htaccess file contains the configuration statements/ commands to customize the Apache Web server as per user requirement. click here to know more about .htaccess files.

Disable php global

Some web server allow user to change php settings through .htaccess file, if your host provides this option then you can disable php global through .htaccess file. Write down the following code in the first line of your .htaccess file. If you see 500 internal sever error after adding the code, then remove this code from your .htaccess file.

php_flag register_globals off 

Turn off Server Signature

It is better to turn off your server information, so the hacker will get less information about your server.
ServerSignature Off

Disable Directory Listing

This is a best practices to disable your directory listing. If your fancy indexing is enable then it should also disable. Fancy indexing is used to display file size, type modified date etc.
Opptions -Indexes
IndexOptions -FancyIndexing

Deny access to Directories

You can create a separate .htaccess file and upload it to those folders which you want deny access.

Order Deny, Allow
Deny from all

Disallow the access of any file

You can protect your config files and other important files by adding the following in your htaccess file.
<files .htaccess>
order allow,deny
deny from all
</files>

<files php.ini>
order allow,deny
deny from all
</files>

<files config.php>
order allow,deny
deny from all
</files>

Upload Directory

If you give option to your to upload files then there will be more possibility, your site will be hacked or affected by malware. In that case create a .htaccess file save it in your user uploaded directory.
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>

Preventing hotlinking

RewriteRule \.(gif|jpg|js|css)$ - [F]

Click here to know more about hotlinking.

URL Rewrite or SEO Friendly URL

This is a best practices to use SEO friendly URL. If your page url is
 http://wwww.domain.com/product.php?id=9 

Then the hacker can easily enter into your database through id, so you can change your URL to something like this
http://wwww.domain.com/product/9/
or
http://wwww.domain.com/product-9/

Click here to know more about URL Rewrite.

So your final .htaccess file will look something like this
php_flag register_globals off 
RewriteEngine on
RewriteBase /
ServerSignature Off
RewriteRule \.(gif|jpg|png|js|css|php)$ - [F]
Opptions -Indexes
IndexOptions -FancyIndexing

/* URL Rewrite code goes here */

<files .htaccess>
order allow,deny
deny from all
</files>


Click continue to know more about SQL Injection and other protection methods like file and folder permission, client side and server side validation etc.  

Comments
comments powered by Disqus