Security Tips :: phpLD Knowledge Base

Security Tips

Author: Boby

Added: February 24, 2006

Some hints and tips on security issues.

1) Passwords: Use strong passwords! Never share your password or keep them in unsafe place. Give passwords to everything you can, phpLD admin, database user, FTP access, everything.
To have a strong password, try to include some special characters like "$", "@", "&", "=", "+" or whatever else you want. Also use both lower- and uppercase characters. You password should not be shorter than 6 characters.

2) Backups: Only people who had once a really big problem because they did not backed up know what I am talking about. Make backups as often as you can, backup all your files each time you make a small change, backup also your database.

3) Permissions: Give only really needed permissions to files/folder. Unless the server is running as user "nobody" or simmilar, try to give files/folders the same username as the webserver is running. Do not use 666 or 777 permissions unless the script (.php) needs it. Usually it's good to run files/folders with permission set to 664 but also 755 or 775 is good.
If you are a security freak I can let you know that a regular script (.php) can run with permission set to 004 (others may read) if file owner is not the same like webserver user, if files/folders run under same user like the webserver you can give 400.
After an installation/upgrade, change file permission of your "include/config.php" file. Revoke writing permissions!
For phpLD-v3.0+ users, you can revoke writing permissions to sitemap and backup files too after you create them.

4) Files and Folders Protection: If your host supports ".htaccess" files you can easily protect some files and folders.
After a discussion in the phpLD3 supporters forum, we have found some good ways to protect template files (.tpl). First you can create an "index.php" file in your "templates" folder and use this code:

5) Unneeded Files: Most *NIX (Linux, *BSD) create by default file backups each time you modify something. This files are marked eighter as "~filename.ext" or "filename.ext~" (ext = extension). If you are running Cpanel or another editor you regulary won't have this issue, but you never know. Always try to remove this files, you really don't want to have an "index.php~" file in your DocumentRoot, because it's content can be seen by others.
A quick and dirty bash script that will remove these files is:

Quote:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang='en'>
<head>
<title>Redirecting...</title>
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Cache-Control" content="no-cache" />
<meta http-equiv="Expires" content="-1" />
<meta http-equiv="Cache-Control" content="no-cache" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="0; url=http://www.yourphpldsite.com/index.php" />
</head>
<body>
</body>
</html>

This will redirect a user browsing http://www.yourphpldsite.com/templates/ to your main page.
Another good method is to protect your .tpl files with ".htaccess"

Code:

# Protect template files
<Files ~ "\.(inc|inc.php|tpl)$">
Order deny,allow
Deny from all
</Files>

This will stop anyone from looking at your http://www.yourphpldsite.com/templates/main.tpl file for example.
To protect all directories you can eighter create in each directory you want to protect a ".htaccess" with following code:

Code:

Deny from all

...or you can redirect users browsing directories they shouldn't have to your main page by using this code in your main ".htaccess" file:

Quote:

If you have not installed phpLD in a folder, remove the highlighted part of code.

Code:

find /your_path -name "*~*" -exec rm -f '{}' \;

If you have other tips, feel free to post them or comment on mine

Boby