Recommendation of three methods to enhance CMS Security

Since web development, the author often receives security upgrades for other websites. Most of these jobs are websites built by zhimeng cms, this problem is caused by attacks. I would like to comment out some simple and effective security practices for my website built using zhimeng cms.

1. Change the prefix wildcard of a database table

The prefix wildcard here is not the prefix of the database table name entered during installation, but the "# @ _" string in the system source code.

I once saw a lot of unknown files in my hacked website and wrote a lot of code for direct database operations, in this case, the operations on the table contain the "# @ _" string. If we modify the "# @ _" string in the source code, these unknown files will not work.

2. Change the name of the background management directory

Hackers usually use SQL injection to crack the account and password of the website's background administrator. Then, they log on to the background and upload Trojans to obtain the privilege of webshell until they have full control over the entire website. If we can modify the table name of the Administrator table and the management Directory Name of the website background, hackers will not be able to crack the Administrator account of the website, even if they have obtained the Administrator account, or you may not be able to log on because you cannot know the website background management directory.

Do not use admin or manager keywords to modify the Administrator table name and background management directory, which greatly increases the difficulty of hacker cracking. Note that you must modify the table name in the source code after modifying the Administrator table name in the database. Zhimeng V5.7 has a total of 27 changes to be modified. You can search for "dede_admin" to replace the changes.

3. Configure the initial connection to the database

The database connection information is recorded in the data/common. inc. php file of zhimeng, which is in plain text and insecure. The following describes two methods to make it safer.

(1) Add multiple variables (dozens or even hundreds). Only six of these variables actually work, and others are used to disrupt hacker judgment.

(2) Data Encryption. However, webmasters need certain programming technologies. Either method needs to be modified in the database initialization class, but the first method requires only a few variable names, which is much simpler.

The above three methods play an important role in the security of the CMS system, and many webmasters and friends have no way to improve website security. I hope this article will be helpful to webmasters and friends for their website security!

Note the following points:

1. After the installation is complete, delete the member, special, and install folders in the root directory.
2. Set uploads, images, data, and templets to be readable and writable and not executable.
3. Set include, plus, and background files (dede by default). readable and executable files cannot be written.
4. Set data/common. inc. php read-only
5. Disable background watermarks
6. Set the 404 page

Articles you may be interested in

• DedeCMS (zhimeng) website Server Directory Security Settings Experience Sharing
• How to enhance the security of Linux and Unix server systems
• PHP object-oriented tutorials
• PHP is the safest and most practical solution to determine the type of uploaded files
• Solution to the upload filetype not allow error in dedeCMS image uploading
• How to Use constants defined by define in a program in a smarty Template
• How to remove ads on the dedeCMS background login page
• Comparison and Analysis of string encoding functions escape, encodeURI, and encodeURIComponent in javascript