/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsSufyan bin Uzayr, Freelance Writer, Graphic Artist, Photographer, www.sufyan.co.nr
Of late, Content Management Systems have become the norm for creating a website, be it a corporate site, a blog or a portfolio. With each CMS trying to topple the competition and become the best in its league, users have a plethora of choices to choose from.
Apart from picking the ideal CMS for a given type of website, you also need to take those extra steps to secure your installation of the CMS of your choice. Of course, each CMS now comes with its own security settings — but more often than not, you also need to tweak such settings to make your website secure in the proper sense of the term.
In this article, we take a look at some of the security tips and tricks for several major CMSs.
WordPress
WP is one of the most popular CMS out there. Naturally, it is more prone to security issues out of sheer popularity itself. Here are some handy steps that you can take to secure your WP site.
1. Secure your directories
Many times, users install WordPress and leave the directories open for public browsing. This means that if you have installed a given theme/plugin, and a malicious hacker knows how to exploit that particular theme/plugin, it will be extremely easy to cause damage to your website. To avoid such a scenario, simply create an empty index.html file under the folder wp-content/plugins
Alternatively, add Options All -Indexes to your .htaccess file.
2. Disallow unwanted SEO
SEO is always good, isn't it? Yes, it is — to a certain extent. Search engines should crawl your website, the content that you share on the site, media files, etc. However, when it comes to WP's own system files, you should ensure that search engine crawlers are not indexing them (otherwise it will simply be an invitation for hackers to access your system files). The easiest way to do so is to add Disallow: /wp-* to your robots.txt file. Alternatively, if you wish to disallow access to your entire server, use this code (not recommended for search.php):
; ?>
3. The wp-admin folder
You can consider limiting access to your wp-admin folder by restricting certain IPs via the .htaccess file. However, you should do so only if you yourself do not have dynamic IP. You can also consider installing the Login Lockdown plugin from http://ld2.in/44p. The plugin records the IP address and timestamp of every failed login attempt, and can even block a certain IP address if multiple failed login attempts are detected from that location.
4. Eliminate version string from meta tags
WordPress is updated regularly to provide security patches and bug fixes. However, if you are using a localized version of WordPress, chances are that updates take their sweet time in reaching you. If this is the case and you are compelled to run an older version of WP, make sure you remove the version string from your WP Meta Tags, to avoid telling the world that your WP installation is still prone to a particular bug or security issue. To remove the version string, open header.php and eliminate the following:
5. Using shell access
FTP login credentials are often not encrypted. If you have access to SSH, and know how to accomplish things via Shell Access, you should prefer it over FTP.
6. Database username and password
If you are worried about your database username and password, add the following line to your .htaccess file (top-most level of your WP installation):
TYPO3
TYPO3 is a CMS that caters strictly to organizations and businesses, though of late it is also being used to power news and magazine websites. Just like most other CMSs, TYPO3 too suffers from its share of security issues. However, unlike most other CMSs, TYPO3 attempts to solve them all by use of a single extension!
If you are using TYPO3, it is vital for you to install Security Check, a small and nimble extension of only 74 KB (zipped). You can download it from the official repository at http://ld2.in/44q.
Once installed, the extension will help you tackle as many as 40 common security issues — it can inform you about potential security loop-holes, common tools and solutions, etc. The extension check for numerous security issues, such as:
- PHP.ini — open_basedir, error_log, etc.
- Database — MySQL access level and password
- localconf — LockSSL, encryption_key, SQL-debug, etc.
- TYPO3 — backend, file access permissions, subversion files, etc.
Naturally, Security Check is one TYPO3 extension that you just cannot afford to ignore! Plus, if you need more help related to security, TYPO3 publishes a free Security Cookbook for its users. You can download one such version of the Cookbook here: http://ld2.in/44r (English, PDF).
CMS made simple
CMS Made Simple is another popular CMS meant for different types of websites.
1. Renaming the admin directory
In order to secure CMSMS, you can rename your admin directory, thereby making it difficult for malicious hackers to locate it. Once you have renamed it, make sure you change /config.php as follows:
$config<'admin_dir'> = “new-directory-name”
2. Protecting other directories
You can protect your /tmp and /uploads directories as follows:
Similar variations can be used for /lib as well.
3. Permission levels
When you are installing and/or upgrading CMSMS, you config.php file's permissions will need to be set to 777. However, as soon as you have installed or upgraded CMSMS, consider lowering the file permissions to 444 or even 440, if need be.
Drupal
Drupal is well known as a super-secure CMS (it is used by websites such as The White House — it has to be secure, right?). There isn't much tweaking that you need to do in order to secure Drupal. However, for a start, try these ideas:
1. PHP Filters
You can consider turning PHP Filters off. This way, you can be certain that your PHP Filters are not prone to malicious attacks. And, just in case you need to run PHP code, you can use the devel module.
2. Permissions
Ensure that you specify separate privileges and permissions for anonymous and authenticated users under User Management.
3. Miscellaneous
Drupal comes with an effective spam fighting measure in the form of Mollom — www.mollom.com Make sure you have it on your site! Plus, you can use Acunetix to assess and evaluate the security level of your website — http://www.acunetix.com/
Joomla!
Joomla! comes packed with several security measures of its own, but there are many steps that you can take to enhance the security level of your Joomla!-powered website. We have covered Joomla! security in detail few months back. You can read the full article here at http://ld2.in/44s.