Weave Dream Website Dedecms prevent the thought of hanging horse

Dedecms as the most widely used in the domestic use of one of the most popular CMS, often out of loopholes, the impact of each vulnerability is a large, light is hanging ads, bullets, heavy servers become meat machine, valuable data loss. So what are the ways to improve the safety of dedecms?

Let's take a look at the reasons why PHP programs often leak, in fact, the PHP program itself is determined. PHP reusability is low, resulting in a complex program structure, everywhere is redundant code, which is not only conducive to the creation of loopholes, but also affect the repair of loopholes; PHP programs are simple and generally open source, so that many people can read the code directly, search for loopholes, so that there is a steady flow of loopholes found, repaired, found ... and the current popular PHP system used in the form of files as a cache, so that the need to open the file write permission, which undoubtedly become the weakness of the PHP system. The current attack on the PHP system, in addition to the very few "injection" attacks, most of the attacks are through a system of a loophole, to the writable file inserted a sentence Trojan, in this way to obtain the shell.

Web site security has always been the server configuration, file permissions control and website program three of the mutual cooperation, today mainly look at if the DEDECMS website program improvements to improve security. "Executable files are not allowed to be modified, writable files are not allowed to be accessed" this is the fundamental principle of Site permissions control, and the website program can do a lot of work in terms of "writable files are not allowed to be accessed." Take Dedecms For example, we can do the following several ways to protect.

1, renamed the root directory of the data directory, or moved to the Web directory outside the data directory is the most filth, the system often to write data to this directory, any file under this directory can be accessed through the URL, so to let the browser access to the file inside, you need to rename this directory, Or move outside of the directory to the website. These, even if others through the loopholes in the file to write a word trojan, he also can not find the file path of the Trojan, unable to continue to expand the attack. Because the DEDECMS program is unreasonable, resulting in renaming the Data directory action will be larger, the specific method is as follows:

A. Migrating the exposed content to a pub directory (or other custom directory), such as RSS, sitemap, JS, enum, and so on, this step requires moving the folder and modifying the build path for those files.

B. Modify the Reference program directory search to replace "dededata." /data/"for" Dededata. " /", approximately replace fifty or sixty places; search replaces" Dededata. " /data/"for" Dededata. /", approximately fifty or sixty places to replace; Search"/data/", as the case may be, modify the path similar to:" $DEDEDATA. " /"(note that both the Include directory and the background management directory have the Data folder and do not need to be modified.)

C. Modify the Data folder name, and modify the value of "Dededata" in the include/common.inc.php file, and then modify the template cache directory in the background system settings parameter settings to complete the modification. You can also follow this procedure to change the Data folder name later.

2, renamed "Dede" Management directory, and reinforcement if the background is hidden, even if someone has obtained your administrator account, password, also can not login.

A. In/dede/config.php, find the following line:

// Verify user logon status $cuserLogin New　　Userlogin ();  if($cuserLogin->getuserid () ==-1) {     　　header("location:login.php? Gotopage= ". UrlEncode　　($dedeNowurl)); }　　

Replace the above code with the following:

// Verify user logon status $cuserLogin New　　Userlogin ();  if($cuserLogin->getuserid () ==-1) {  //header("　　　　http/1.0 404 Not Found ");　　 exit(); }　　　　　　

B. Modify the file name of the/dede/login.php and modify the form submission address in the/dede/templets/login.htm.

C. Modify the directory name of the/dede/so that others can only access the/dede/login.php renamed address before they log in, and access to other addresses will receive a 404 error.

Of course, after the security hardening, later DEDECMS upgrade will have some trouble.

...