Zhimeng Dedecms-redefinition directory for website security optimization

A long time ago, I was looking for a tutorial to redefine the dede directory structure, but it was still fruitless after hard work!

Some time ago, I used Zhimeng to build a school website and put it on the server for less than a week. The website was injected with a black chain. Compared with the previous school news network, this time it was even worse, and the front-end was injected at the same time, and a lot of hidden iframe were embedded. No way. I have to worry about it this time.

Changing the default directory name of Zhimeng increases the difficulty for hackers to determine that the website system is dede. (With simple seo/seo.html "target =" _ blank "> Search engine skills, you can find a dream website, such as inurl:/plus/view. php? Aid = keyword: Baidu, Google ).

Next, let's briefly talk about what to do. First, install Zhimeng in the subdirectory of the site, and then transfer the frequently used modules and directories to the root directory of the website and rename it. In this way, you can be excluded from the dream website.

I will not talk about installing Zhimeng to sub-directories. If you want to transfer the root directory's Zhimeng site to a subdirectory, you can refer to: Zhimeng website migration and troubleshooting summary.
Zhimeng is installed in sub-directories, and news is displayed in the root directory.

Follow these three steps to display the weimeng news in the same way as the root directory.

Configure the home page link http://www.111cn.Net in the current location

The following screenshot is taken as follows:

DEDE-CMS background parameter settings 1

After performing the preceding operations, the "home page" link of the current website becomes "http://www.111cn.net /"
Generate website homepage

If you select static website browsing mode, you must change "../index.html" in the home page in the figure below to "../index.html ".

Zhimeng homepage update Wizard

If you prefer dynamic website browsing, you can create a file named index. Php, add the following content to it, and put it in the root directory of the website.

<? Php
Include 'cms/index. Php ';
// Cms name of the subdirectory installed for your dream
?>

Make the generated news content appear in the root directory of the website

In Figure 1, the document HTML is saved by default, which is the main directory of news generation, that is, all the default HTML documents are generated under this directory for convenient management. Next, open the editing window of the project, as shown in the following figure:

Quick editing window for Zhimeng topic

Remove {cmspath} from the "file storage directory.

The method provided above is only applicable to static browsing of the topic. If the topic is dynamic browsing, the website will appear in the installation directory of Zhimeng, for specific solutions, see "move the plus directory to the site root directory" in the following section.

The above settings have basically achieved the root directory browsing effect. However, the installation directory of Zhimeng is still exposed. Next, we will introduce how to move the plus, templets, and uploads directories to the root directory of the site and rename them.
Zhimeng directory redefinition
Move the Zhimeng Template directory to the site root directory

Open the website and view the source code. You can easily analyze the installation directory of Zhimeng based on the link's CSS file path. Therefore, it is necessary to move the templets directory to the root directory of the site. The following describes how to perform the operation:

Open the dream directory configuration file include/common. inc. php
The original code and the changed code are pasted below the code for the changed 18th lines.

// Modify the previous code
Define ('descplate ', DEDEROOT.'/templets ');
        
// The changed code indicates that the template directory is placed under the root directory of the website and renamed as the style directory.
Define ('descplate ', DEDEROOT.'/.../Style ');

Next, find row 185th of the file and modify the code as follows:

// Template storage directory
$ Pai_templets_dir = $ pai_cmspath. '/templets ';
        
// Change the above code to the following: (The template storage directory)
$ Pai_templets_dir = '/style ';

After performing the preceding operations, the system may prompt "cannot find: head.htm" when accessing the homepage of the website ". The main cause is that the {dede: include filename=”head.htm "/} tag of the dream cannot be loaded normally, causing errors. The solution is as follows:

Open the include/dedetag. class. Php file and go to row 3 (locate this location by searching for "IncludeFile"). Find the following code:

If (file_exists (DEDEROOT. "/templets/". $ filename ))
        {
$ Okfile = DEDEROOT. "/templets/". $ filename;
        }
Else if (file_exists (DEDEROOT. '/templets/'. $ pai_df_style. '/'. $ filename ))
        {
$ Okfile = DEDEROOT. '/templets/'. $ pai_df_style. '/'. $ filename;
        }
Else
        {
Return "cannot be found at this location: $ filename ";
        }

Change the above code:

If ($ filename = '')
        {
Return '';
        }
If (file_exists (DEDEROOT. "/../style/". $ filename ))
        {
$ Okfile = DEDEROOT. "/.../style/". $ filename;
        }
Else if (file_exists (DEDEROOT. '/.../style/'. $ pai_df_style. '/'. $ filename ))
        {
$ Okfile = DEDEROOT. '/.../style/'. $ pai_df_style. '/'. $ filename;
        }
Else
        {
Return "cannot be found at this location: $ filename ";
        }

Move the upload directory to the root directory of the website

Compared with moving the template directory to the root directory, it makes sense to move the upload directory. Next let's take a look at how to move the uploads directory to the site root directory and rename it as upload.

First, go to the website background. In "system basic parameter settings", change "image/upload file default path:" to "/upload ".
Open the include/common. inc. Php file, locate the 208th line, and change it as follows:

// Attachment Directory
$ Pai_medias_dir = $ pai_cmspath. $ pai_medias_dir;
$ Pai_mediasurl = $ pai_mainsite. $ pai_medias_dir;
        
// Change the above code
// Attachment Directory
$ Pai_member_dir = $ pai_member_dir;
$ Pai_mediasurl = $ pai_mainsite. $ pai_medias_dir;

Move the Zhimeng plus directory to the site root directory

Some files in the plus Directory provide dynamic access to the site. For example, an article can access:/2012/1213/36.html. You can also access it like this: /plus/view. php? Aid = 36, which easily exposes the installation directory of Zhimeng. You can move the plus directory to the root directory of the site and rename it as follows.

Open the include/common. inc. php file and find row 192nd.
Follow these steps to change the code:

// Plug-in directory, which is a necessary dynamic program used to store counters, votes, comments, and other programs
$ Export _plus_dir = $ export _cmspath. '/plus ';
        
// The following code is modified
// Plug-in directory, which is a necessary dynamic program used to store counters, votes, comments, and other programs
$ Pai_plus_dir = '/plug ';

Next, cut the plus directory to the root directory of the website and rename the plus directory to plug.

Open all the files in the plug Directory

Require_once (dirname (_ FILE _). "/../include/common. inc. php ");

Replace

Require_once (dirname (_ FILE _). "/../cms/include/common. inc. php ");

Note: The "cms" mentioned above is the installation directory of the dream. Remember to change it.
If your website is just a basic news site, you can also delete the files in the directory, and only keep list. php, view. php, and count. php.

In addition to modifying the program, server security is a key point. We use iis as an instance to check the dedecms iis security configuration.

 

IIS IIS6.0 in Windows
Open the site in IIS, right-click the site's uploads Directory, data directory, and static html generated Directory, select "properties" from the menu, and select "none" as the execution permission on the directory properties panel. (See figure 1)

IIS7
IIS7 is also similar to IIS6.0. Select the directory corresponding to the site, data, uploads, and static html file directory, and double-click the function to try "handler ing" on the panel (as shown in Figure 2)
 

In "edit function permissions ......" In, www.111CN. Net, we can directly remove the script execution permission. (Figure 3)

In fact, the above only introduces how to set the directory write permission according to the official recommendation if the execution permission is canceled.
For example, if Directory a is generally used to generate static pages, we need to set it on the server side (dederun is an anonymous website user running in iis)

Configure the independent host for the execution permission of directory scripts in Apache
In Apache, there is no Windows IIS graphical management interface. We need to manually modify the apache configuration file to set the directory script execution permission.
First, find the apache configuration file httpd. conf. Normally, the configuration file is in the conf folder under the apache installation directory (as shown in Figure 4 ).
 

(Figure 4)

Open the httpd. conf file and find the location in Figure 5 in the content:

(Figure 5)

Directory "DIR">
<FilesMatch ". (php | asp | jsp) $">
Deny from all
</FilesMatch>
</Directory>

The DIR in the configuration content is the directory where the execution script file needs to be restricted, and the content after FilesMatch is the suffix of the script to be qualified. For example, if you want to disable the running of PHP, ASP, and JSP scripts in the uploads folder of the test site, configure it as follows:

 

(Figure 6)

 

After the configuration is complete, restart apache and the configuration takes effect!
Before the operation, I created an index. Php file in the uploads folder. Figure 7 shows the access status before configuration.