I’d like to consolidate a list of security best practices.
To begin with, we can tighten up the permissions on non-DSO systems. I have been testing with the following changes and have had no problems.
[COLOR=“Red”]NOTE: This is only for non-DSO PHP setups[/COLOR]
Change the permissions on newly-created files and directories in config.php prior to running installation:
// Default permissions for newly created files and directories<br />
define('DEFAULT_FILE_PERMISSIONS', [B][COLOR="Red"]0644[/COLOR][/B]);<br />
define('DEFAULT_DIR_PERMISSIONS', [B][COLOR="red"]0755[/COLOR][/B]);
```<br />
<br />
[B]You will need to change this after each upgrade, as well.[/B]<br />
<br />
Based on recommendations made by Spiral and other research, I have tightened the file permissions. This will fix files previously created with the looser permissions.<br />
<br />
If you have shell access you can run the following commands from the [B][COLOR="Red"]root directory of your store[/COLOR][/B]:<br />
```php
find . -type d -exec chmod 755 {} \;<br />
find . -type f ! -name "*.php" -exec chmod 644 {} \;<br />
find . -type f -name "*.php" -exec chmod 600 {} \;
```<br />
<br />
[B]You will also need to execute these commands after each update to fix permissions on the upgrade files downloaded to your cart.[/B]<br />
<br />
I have had no issues since doing this but you might want to try this first on a test installation. [B][COLOR="Red"]At the very least, make sure you backup your files first to make recovery easy.[/COLOR][/B]<br />
<br />
Noman posted the following suggestions - all worth consideration:<br />
[QUOTE]Use VPS or Dedicated boxes. AVOID SHARED HOSTING. Full stop here.<br />
Do not install additional scripts within CS Cart directory as they can already have security bugs or will have.<br />
Understand CHMOD and HTACCESS [educate yourself here]<br />
Use SSL for Admin section and customer registration/login. It's 10bucks!<br />
Do not use CS backup ever! Use the hosting CP to backup entire public_html+DB to your local PC.<br />
Get a static IP for your home or office and make use of Store Access in CS. Limit access to Admin from well known IPs only!<br />
Change admin.php to something like: hatehackersfcukers.php and then update the config file.<br />
Use secure FTP only for uploading your stuff.<br />
Make your password difficult. My one is: %I{7$cRi1g6c(80. <br />
Save your password on the local PC and encrypt the folder and files inside. In XP+ use right click, Properties -> Advanced -> Encrypt ..... OK. Is it green? Good. Trojans will be useless.<br />
Be suspicious when receiving admin emails from your own website! Check the link!<br />
If you use POP3 to download emails, use secure connection on port 995 instead 110.<br />
Uninstall modules you don't need.<br />
Remove skins you don't need.<br />
Use Firefox in Private Browsing mode. Don't use password managers!<br />
Pray every morning and eat healthy food![/QUOTE]<br />
<br />
What other suggestions do people have? Please no lengthy sermons or diatribes (especially about development), just some solid action items that individual storeowners can implement.<br />
<br />
Bob
CHECK YOUR LOGS (Im guilty of not doing this often enough)
Block IP addresses from China, Russia and Africa if you do not do business with these areas (there are services you can sign up for to assist in doing this).
Make it a habit to change your passwords every 30days-90days
Well as far as your post itself goes, I agree with pretty much everything you said …
However, just a footnote looking at your signature information …
If your signature is correct with your current system specs then I would strongly recommend you see about getting your PHP version updated. PHP 5.2.8 had a substantial amount of security issues more so than others and I would avoid using that particular version.
Best with CS-Cart currently right now would be PHP 5.2.11 or PHP 5.2.12
***NOTE: Do not upgrade to PHP 5.3+ ---- Doesn’t play happy with CS-Cart ***
Your Apache and MySQL are both also significantly outdated as well though from a security standpoing not as critical of upgrades as your PHP version would be in this particular case.
Anyway though the not so subtle point I am appending to all you said is that the underlying server software is also just as important to security as your web scripts and everything you mentioned in your post. Both sides are important.
Thanks for pointing that out. The info in my sig was incorrect (including the CS-Cart version) but your point is well-taken - stay on top of server software updates.
Thanks for that. It’s a long list to add so could this have any effect on server speed or site performance. My .htaccess is already rather large :-)[/quote]
Not really, unless your htaccess file is xxMB big.
Specially after someone said it has a CRACKER attack.
The correct name is not HACKER, but CRACKER.
Maybe, Black Hat Hacker, if you want to call this “kind” of person of something not a BAD WORD.
I will take a look in all this.
One thing that a lot of people said is: TAKE A LOOK in your own computer security.
Specially people who use MICROSOFT’S O.S.
For this kind of thing that VISA, MASTERCARD, AMEX do not allow that companies (at least here in Brazil) stay with CREDIT CARDS’S CLIENT’S NUMBERS.
BACKUP:
We talk a lot about backup.
But when we have backup in our computer and the cracker acess it, it can get all information from our OWN computer and not just from the HOSTING SERVER.
So, after I get all files from a computer, I will not the USERS AND PASS from a lot of things.
SO, WE HAVE RESPONSABILITY WHEN WE ARE WORKING with data from our clients.
Use VPS or Dedicated boxes. AVOID SHARED HOSTING. Full stop here. [COLOR=Red](not true)[/COLOR]
Do not install additional scripts within CS Cart directory as they can already have security bugs or will have. [COLOR=Red](sure, if you will try to use some s**** scripts)[/COLOR]
Use SSL for Admin section and customer registration/login. It’s 10bucks! COLOR=Red[/COLOR]
Do not use CS backup ever! Use the hosting CP to backup entire public_html+DB to your local PC. COLOR=Red[/COLOR]
Get a static IP for your home or office and make use of Store Access in CS. [COLOR=Red](not really necessary and cost effective)[/COLOR]
Limit access to Admin from well known IPs only! COLOR=Red[/COLOR]
Change admin.php to something like: hatehackersfcukers.php and then update the config file. COLOR=Red[/COLOR]
Use secure FTP only for uploading your stuff. [COLOR=Red](true, but better you check your computer of trojans)[/COLOR]
Make your password difficult. My one is: %I{7$cRi1g6c(80. [COLOR=Red](true )[/COLOR]
Uninstall modules you don’t need. COLOR=Red[/COLOR]
Indy, you always want to fight with me Ehh all women!
[COLOR=“Red”]Use VPS or Dedicated boxes. AVOID SHARED HOSTING. Full stop here. (not true)[/COLOR]
I could write long stories here why to avoid shared hosting when running your own e-com-business. I used to be with resellerspanel.com and had more than dozen of clients. Even plain HTML websites were hacked. On php CMS scripts, performance was c.r.a.p. No more than 3% of CPU and 32Mb memory. Also, downtimes far too often. What the hell? We have 21st century! Now, I have my own dedi box, more clients and nothing is happening. And as you Indy alredy know, you can get a VPS for £10. Is that bad?
[COLOR=“red”]- Do not install additional scripts within CS Cart directory as they can already have security bugs or will have. (sure, if you will try to use some s**** scripts)[/COLOR]
Well, try to install Joomla or 3Typo and do not update it for a year. You’ll see. do you call these shi…tty scripts? The list of apparently good, but “soon to be” hackable scripts is long.
[COLOR=“red”]- Get a static IP for your home or office and make use of Store Access in CS. (not really necessary and cost effective)[/COLOR]
Can’t you see any benefits of blocking Admin access to specific IPs only? These days, static IPs are free in the UK with many ISPs. I have BE for £17.99 24Mbs/1.5Mbs + static IP free. Not bad. Some of the ISPs will charge extra £2 per moth. The question is - as a business owner, how far will you go to save on security and hosting and how much will this cost you later?
[COLOR=“red”]- Use secure FTP only for uploading your stuff. (true, but better you check your computer of trojans)[/COLOR]
FTPS is for avoiding sniffing on TCP protocol from one location to another and even on your own network from infected computer.
To secure your desktop PC with XP and below, I have a very good experience with Avast Pro [great boot scan! mode] and script blocking, Malwarebytes.org the remove the unwanted ones and Cure IT in emergency. Use Firefox with WOT and things will improve.
One thing, the e-commerce business is like other business and you must invest you money and time. The general rule is: less money invested, more time wasted.
The title of this thread is “Improving your site’s security - [COLOR=“Red”]Best Practice[/COLOR]”. There is no question you can run CS-Cart with less but the point is to identify how to make your cart as secure as possible - this will always be more expensive than the least-cost solution.
This thread is really designed to be a guide for people to improve a site’s security - either starting out or as funds allow. I hope we will see additional contributions as more techniques are identified.
[quote name=‘Noman’]Indy, you always want to fight with me Ehh all women!
[COLOR=Red]Use VPS or Dedicated boxes. AVOID SHARED HOSTING. Full stop here. (not true)[/COLOR]
I could write long stories here why to avoid shared hosting when running your own e-com-business. I used to be with resellerspanel.com and had more than dozen of clients. Even plain HTML websites were hacked. On php CMS scripts, performance was c.r.a.p. No more than 3% of CPU and 32Mb memory. Also, downtimes far too often. What the hell? We have 21st century! Now, I have my own dedi box, more clients and nothing is happening. And as you Indy alredy know, you can get a VPS for £10. Is that bad?
[/quote]
The hell can be a wrong hosting provider :rolleyes:
[quote name=‘jobosales’]I’d like to consolidate a list of security best practices.
To begin with, we can tighten up the permissions on non-DSO systems. I have been testing with the following changes and have had no problems.
[COLOR=“Red”]NOTE: This is only for non-DSO PHP setups[/COLOR]
Change the permissions on newly-created files and directories in config.php prior to running installation:
// Default permissions for newly created files and directories
define('DEFAULT_FILE_PERMISSIONS', [B][COLOR="Red"]0644[/COLOR][/B]);
define('DEFAULT_DIR_PERMISSIONS', [B][COLOR="red"]0755[/COLOR][/B]);
You will need to change this after each upgrade, as well.
Based on recommendations made by Spiral and other research, I have tightened the file permissions. This will fix files previously created with the looser permissions.
If you have shell access you can run the following commands from the [COLOR=“Red”]root directory of your store[/COLOR]:
You will also need to execute these commands after each update to fix permissions on the upgrade files downloaded to your cart.
I have had no issues since doing this but you might want to try this first on a test installation. [COLOR=“Red”]At the very least, make sure you backup your files first to make recovery easy.[/COLOR]
Noman posted the following suggestions - all worth consideration:
What other suggestions do people have? Please no lengthy sermons or diatribes (especially about development), just some solid action items that individual storeowners can implement.
This system is the most insecure and the system for which they told you to use 777 though that is actually a bit too loose and really quite dangerous.
If you have access to use “chown” (mainly server owners) then I would set the ownership of files you need writable to the owner login and the group to “nobody” and then decrease the 777 permission to “660” on files you need writable.
For folders, I would do the same but set to “770” or “775”. Though “755” could actually be used on some systems as long as the files beneath were set correctly writable.[/QUOTE]
Perhaps he will comment further here or you could contact him.