Protect your website from hacker attacks: two effective tricks
If it is true that, today, has become relatively easy to open and operate a web, it is also true that many leave out the appearance “security“.
The result is a string of “You’ve been hacked”, lost passwords, corrupt database, waves of spam, or even worse, the injection of malicious code pages.
In addition to the usual tips, how to keep your own CMS like WordPress and the like, and use a long password and a user name different from the classic “admin”, some statistics the control panel of my site, relating to the error 404 (page not found errors), showed some interesting things.
in fact, had been tried many times to access these pages:
/undefined
/crossdomain.xml
/signup
/signup.php
/register.php
/wp-login.php
/administrator/
/guestbook//admin.php
/signup/
//admin.php
/member/register
/join.php
/account/register.php
/shop
/login.aspx
with risulato of “error 404”, which meant that these pages, to my website, not existed.
As can be seen, the potential “criminal” tried accidentally access to pages that, usually, ask for username and password, or otherwise allow, using SQL and PHP, access to a database and corrupt (sql injection).
It, Then, avoid having the pages as this, renaming them in slightly different ways, so as to avoid any possibility of being “caught” by bots looking for weak points in a site, and looking for common words such as “Login”, “signup”, “shop”,”register”.
Another statistic of my control panel (particularly, the server log), often recited:
[09-Dec-2012 15:35:45 Europe / Berlin] PHP Warning: mysql_query() [<a href=’function.mysql-query’>function.mysql-query</A>]: Access denied for user ‘root’@’localhost’ (using password: not) in /xxx/xxx/xxx/yyy.php on line X
In short, someone tried to open some php pages to a subfolder, which normally should not be opened, but are “including” elsewhere through the php function include.
The objective, in this case, was trying to access my SQL database, exploiting the line X yyy.php of the file that contains a SQL query (mysqli_query()).
The line
Access denied for user ‘root’@’localhost’ (using password: not)
tells us that it was attempting to enter without credentials, or using the default username and password.
If my SQL database was not password protected, Then, the thief would be able to access.
Although it is quite unlikely that someone uses a database does not adequately protected by password, to avoid this, it was enough to disable indexing of this and other folders reside where these php files that are “included”.
So, the wrongdoer can not know what the names of the php files in the folder, and can not groped to force access to any of these.
To disable indexing, just add, in. htaccess file in that folder, The line:
Options -Indexes
After making this change, the server log me no more reported access “suspects” like the one above.
Any other advice that will serve to increase the security of our sites, is welcome!