I know that being open source does not necessarily makes a program more/less secure than closed source (let’s assume this neutrality, to keep flames out of this post). Fact is: since the source code is open, everybody knows your defaults urls, default administrator logins, etc.
I’m using WordPress and Joomla in some projects of my clients, and I always try to create some kind of additional security. Excluding always updating your files to latest version, what do you usually do to add more security in this scenario? Some of my thoughts:
I always change the “admin” name when applicable;
I would like to don’t explicity say which technologies I’m using, but since I want to promote the cms (I think is the minimal I should do), I just don’t say the exact version so attackers don’t know which exact vulnerabilities they can attack (wordpress automatically creates a meta tag in html saying “WordPress 2.8.4” for example);
Set correct permissions in directories, and bash scripts in my server that run everyday at 0h setting 755 to directories I may have changed to 775 during the day and forgot to turn back;
When applicable, I set apache configuration to limit ips.
What else should I try to do? What “out of the box” solutions do you usually do to your installations?
Advertisement
Answer
Using something like the mod_security or mod_evasive Apache’s modules can be an idea too — I suppose they require some configuration, though ; and you should test you website still works OK before using those on your production server.
As they are Apache’s modules, it also requires you can install new Apache’s module — which means you have to be admin of the server.
On a pure PHP-level, there is a tool called PHP-IDS ; quoting its website :
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.
I suppose you could “plug” it in front of the CMS you are using, by adding a couple of lines to its entry point — if there is a common entry point you can identify, or some file that’s included once at the beginning of each page.
There is a “How to use it in my application?” entry in the FAQ.
And, like you said, securing your server is nice : no remote SQL access, for instance ; checking the provileges of each user on the system, too ; keeping your software up to date, …