Now a days this is a common issue with the websites is that they are getting hacked
or malware affected. Everyday millions of website are getting hacked and blocked
by Google. In many cases the hacker or malware add malicious codes in your HTML
or PHP files, edit your .htaccess file, add or edit your MySql database, some
time even they delete all records from database tables by using truncate table
command. Also they uploaded files to web server. How is it possible to upload
files, editing database or changing files without knowing the passwords? Yes,
this is possible for hackers, because the they are are the best.
The following are few of my findings to stop hacking, but the hackers can say
better how to protect them..
Protect through .htaccess file
.htaccess file contains the configuration statements/ commands to customize the Apache Web server as per user requirement.
click here to know more about .htaccess files.
Disable php global
Some web server allow
user to change php settings through .htaccess file, if your host provides this
option then you can disable php global through .htaccess file. Write down the
following code in the first line of your .htaccess file. If you see 500 internal
sever error after adding the code, then remove this code from your .htaccess
file.
php_flag register_globals off
Turn off Server Signature
It is better to turn off your server information, so the hacker will get less information about your server.
ServerSignature Off
Disable Directory Listing
This is a best practices to disable your directory listing. If your fancy
indexing is enable then it should also disable. Fancy indexing is used to
display file size, type modified date etc.
Opptions -Indexes
IndexOptions -FancyIndexing
Deny access to Directories
You
can create a separate .htaccess file and upload it to those folders which you
want deny access.
Order Deny, Allow
Deny from all
Disallow the access of any file
You can protect your config files and other important files by adding the following in your htaccess file.
<files .htaccess>
order allow,deny
deny from all
</files>
<files php.ini>
order allow,deny
deny from all
</files>
<files config.php>
order allow,deny
deny from all
</files>
Upload Directory
If you give option to your to upload files then there will be more possibility,
your site will be hacked or affected by malware. In that case create a .htaccess
file save it in your user uploaded directory.
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>
Preventing hotlinking
RewriteRule \.(gif|jpg|js|css)$ - [F]
Click here to know more about hotlinking.
URL Rewrite or SEO Friendly URL
This is a best practices to use SEO friendly URL. If your page url is
http://wwww.domain.com/product.php?id=9
Then the hacker can easily
enter into your database through id, so you can change your URL to something
like this
http://wwww.domain.com/product/9/
or
http://wwww.domain.com/product-9/
Click here to know more about
URL Rewrite.
So your final .htaccess file will look something like this
php_flag register_globals off
RewriteEngine on
RewriteBase /
ServerSignature Off
RewriteRule \.(gif|jpg|png|js|css|php)$ - [F]
Opptions -Indexes
IndexOptions -FancyIndexing
/* URL Rewrite code goes here */
<files .htaccess>
order allow,deny
deny from all
</files>
Click continue to know more about SQL Injection and other protection methods
like file and folder permission, client side and server side validation etc.
