Weaving Dream (DEDECMS) website security protection against black tips

Except you.
Links: https://zhuanlan.zhihu.com/p/22101340
Source: Know
Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please specify the source.

At present, weaving dream is the Enterprise building station with more than a CMS system, but the security of weaving dream and let many enterprises hope and stop. In fact, as long as the site security protection work, do not worry about the site is black.

Below I will be sub-station and two parts of the station to explain the prevention of the Dream (DEDECMS) site is black tips:

one, the site outside the security protection, mainly the domain name and space (server) security

1, domain name. domain name is one of the portals of the site, but also the site is hacked into the mouth, if the domain name out of the question, the site can not be opened. So how to ensure the security of the domain name?

(1) Select a regular registered registrar

(2) Domain name registration information must be truthfully filled in

(3) Try to use the formal DNS resolution provided by the domain name provider, and use the free DNS resolution with caution

2. Space server Security

(1) Security combination: Security Dog (server and website protection) + Baidu cloud Acceleration (Web general Protection and access acceleration) + Baidu Cloud Observation (website security Warning and daily monitoring)

(2) Using the Cloud Protection tool: Recommended choice Baidu Cloud acceleration

(3) Upload and maintain web pages via FTP, and try not to install ASP upload programs

(4) Daily maintenance, and notice whether there are unknown documents in the space

Second, the site security protection in the station

1, modify the dream of the default background directory folder (Dede) name , can be modified to other letters or letters and digital color combination (such as Chaoyongseo), modified after the site backend login address: domain name/chaoyongseo

2, if the site does not use the functions of members, such as, it is recommended to delete member, install, special folder

3, data/common.inc.php database connection file is forbidden to write and execute, only allow to read the template

4, move the/data/folder to the Web Access directory , this is the official DEDECMS recommendations, the following methods:

(1) Move the/data/folder to the top level of the Web root directory

(2) Modify the Dededata variable in/include/common.inc.php, will: Define (' Dededata ', Dederoot. ' /data '); Change to define (' Dededata ', dederoot. /.. /data ');

(3) Modify/index.php, delete the following code (note: If the first page generates static and the index.html index takes precedence over index.php This modification can be ignored. ）：

if (!file_exists (DirName (__file__). /data/common.inc.php '))

{

Header (' location:install/index.php ');

Exit ();

}

(4) Configure Tplcache cache file directory: Login background > System > System Basic Parameters > Performance Options, change the template cache directory value to/: /data/tplcache

5. Include and plus folders prohibit writing

/plus/is a high-dedecms vulnerability directory, hidden/plus/path to prevent the file under the directory of unknown exploits, if you need to use a file in the directory, you can add the relevant rules in. htaccess to implement the whitelist feature.

Example: Assuming that the plus directory name is modified to/chaoyong/, the site needs to use the background column Dynamic Preview (path://Domain/plus/list.php?tid= column number) and publish jump article (path://Domain name/plus/ view.php?aid= article number), you can add the following code to the. htaccess:

Rewriteengine on

Rewritecond%{query_string} ^tid= (\d+)

rewriterule^plus/list.php$/chaoyong/list.php$1 [L]

Rewritecond%{query_string} ^aid= (\d+)

rewriterule^plus/view.php$/chaoyong/view.php$1 [L]

6, pay attention to the site backup , including the site file backup and database backup.

Website file backup can go to the Space server management background, using the file compression function, the site compressed, and then downloaded through the FTP tool;

Database backup needs to login to the site management background, open "system-database backup/Restore", click "Submit".

(Source: Dream (DEDECMS) website security protection against black tips)

Weave Dream (DEDECMS) website security protection against black tips