The dedecms of the dream-weaving problem-solving method (Security settings)

Many novice users in the use of woven dream CMS process, will inevitably encounter the phenomenon of horse poisoning, so in advance we have to the website and server security to prevent backup processing.

Dream Weaving as the country's first large open source free CMS program, is undoubtedly a lot of hack research objects, in its own insecure Internet environment, easier to recruit, Dede officials have long ago no longer on this system to upgrade what version, security is not just the program itself, We also need to do a daily backup and server security precautions;

Good, nonsense not much said, the following collation some of the more commonly used treatment scheme:

First step:

After installing the Dream CMS, be sure to delete the install folder.

Step Two:

Background login must open the authentication code function (or write a security mechanism on its own), will be the default Administrator admin Delete, change to a dedicated, complex point of the account, the administrator password must be long, at least 8 digits, and the letters and numbers mixed.

Extended reading: Modifying dream default Admin admin Tutorial

Step Three:

Will DEDECMS background management default directory name Dede get rid of, casually change a bad guess of irregular (not regularly changed).

Fourth Step:

Do not use the function to close (or remove/delete), such as members, comments, etc., if not necessary all in the background to close.

member function closed: background--system--system basic parameters--member settings--whether to open the Membership function (yes)

Member authentication Code open: background--system--system basic parameters--interactive settings--member submissions use the Verification Code (YES)

Member authentication Code open: background--system--system basic parameters--interactive settings--whether to prohibit all comments (yes)

Fifth Step:

(1) Some of the following can be deleted directory/features (if you do not use the words):

member function "Membership Directory, general Enterprise station do not need"

Special special feature "feature"

tags.php Label

A folder

(2) Admin directory The following files can be deleted:

The files under the Admin directory are the background file Manager, which is redundant and most affects security, and many hack are used to hang the horse.

dede/file_manage_control.php "Mail Send"

dede/file_manage_main.php "Mail Send"

dede/file_manage_view.php "Mail Send"

dede/media_add.php "Video Control File"

dede/media_edit.php "Video Control File"

dede/media_main.php "Video Control File"

dede/spec_add.php, spec_edit.php "Thematic management"

Dede/file_xx. PHP started with a series of files and tpl.php "File Manager, a great security risk"
(3) plus the following files can be deleted:

Delete: Plus/guestbook folder "Message board, after we install more appropriate message this plugin"; Deleting: Plus/task folders and task.php "scheduled task control Files" deletion: plus/ad_js.php "ad" Delete: plus/bookfeedback.php and bookfeedback_js.php " Book review and comment call file, there is injection vulnerability, unsafe "Delete: plus/bshare.php" share to Plugin "Delete: plus/car.php, posttocar.php and carbuyaction.php" Shopping cart "Delete: plus/ comments_frame.php "Call comment, there is a security vulnerability" Delete: plus/digg_ajax.php and digg_frame.php "top step" Delete: plus/download.php and disdls.php "Download and Count statistics "Delete: plus/erraddsave.php error correction" Delete: plus/feedback.php, feedback_ajax.php, feedback_js.php "comments" Delete: plus/guestbook.php "message" Deleting: plus/stow.php "Content Collection" Delete: plus/vote.php "vote"

Then there are:

The SQL command runtime is not required to delete the dede/sys_sql_query.php file.

Sixth step:

Pay more attention to DEDECMS official release of security patches, timely patch.

Seventh Step:

Download the publishing function (under the Management directory soft__xxx_xxx.php), you can delete it, this is also easier to upload pony.

Eighth Step:

Can download Third-party protective plug-ins, such as: 360 production of "Dream CMS Security Package", Baidu's security alliance produced by "Dedecms Stubborn Trojan door kill";

Nineth Step:

(optional) The safest way: publish HTML locally and upload it to space. Not including any dynamic content files is theoretically the safest, but maintenance is relatively cumbersome.

Add: Still have to check their website often, be hung black chain is small, be hanged Trojan or delete program is very miserable, bad luck, rank also will follow off. So you have to remember to back up the data frequently ...

Extended reading: Dream Web site data backup steps diagram

So far, we have found that the malicious script files have

plus/90sec.php

plus/ac.php

plus/config_s.php

plus/config_bak.php

plus/diy.php

plus/ii.php

plus/lndex.php

data/cache/t.php

data/cache/x.php

data/config.php

data/cache/config_user.php

data/config_func.php

Most of the uploaded scripts are concentrated in the plus, data, data/cache three directories, please carefully check the three directories have recently been uploaded files;

Server, if the win series of servers can install a security dog and other related protective tools;

This article address: http://www.xiuzhanwang.com/dedecms_aq/762.html