Security tips to protect your website from hackers

Now a days this is a common issue with the websites is that they are getting hacked or malware affected. Everyday millions of website are getting hacked and blocked by Google. In many cases the hacker or malware add malicious codes in your HTML or PHP files, edit your .htaccess file, add or edit your MySql database, some time even they delete all records from database tables by using truncate table command. Also they uploaded files to web server. How is it possible to upload files, editing database or changing files without knowing the passwords? Yes, this is possible for hackers, because the they are are the best.
The following are few of my findings to stop hacking, but the hackers can say better how to protect them..

Protect through .htaccess file
.htaccess file contains the configuration statements/ commands to customize the Apache Web server as per user requirement.
Disable php global
Some web server allow user to change php settings through .htaccess file, if your host provides this option then you can disable php global through .htaccess file. Write down the following code in the first line of your .htaccess file. If you see 500 internal sever error after adding the code, then remove this code from your .htaccess file.

php_flag register_globals off

Turn off Server Signature
It is better to turn off your server information, so the hacker will get less information about your server.

Disable Directory Listing
This is a best practices to disable your directory listing. If your fancy indexing is enable then it should also disable. Fancy indexing is used to display file size, type modified date etc.

Opptions -Indexes
IndexOptions -FancyIndexing

Deny access to Directories
You can create a separate .htaccess file and upload it to those folders which you want deny access.

Order Deny, Allow
Deny from all

Disallow the access of any file
You can protect your config files and other important files by adding the following in your htaccess file.

<files .htaccess>
order allow,deny
deny from all
</files>

<files php.ini>
order allow,deny
deny from all
</files>

<files config.php>
order allow,deny
deny from all
</files>

Upload Directory
If you give option to your to upload files then there will be more possibility, your site will be hacked or affected by malware. In that case create a .htaccess file save it in your user uploaded directory.

deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>

Preventing hotlinking

RewriteRule \.(gif|jpg|js|css)$ - [F]

URL Rewrite or SEO Friendly URL
This is a best practices to use SEO friendly URL. If your page url is

 http://wwww.wearecoders.net/test.php?id=6 

Then the hacker can easily enter into your database through id, so you can change your URL to something like this

http://wwww.domain.com/test/6/
or
http://wwww.domain.com/test-6/

So your final .htaccess file will look something like this

php_flag register_globals off 
RewriteEngine on
RewriteBase /
ServerSignature Off
RewriteRule \.(gif|jpg|png|js|css|php)$ - [F]
Opptions -Indexes
IndexOptions -FancyIndexing

/* URL Rewrite code goes here */

<files .htaccess>
order allow,deny
deny from all
</files>

More .htaccess Examples

Deny/Allow Certain IP Addresses
Block an IP Address

#Deny List

order allow,deny
deny from 198.198.198.198 #specify a specific address
deny from 198.198.198.198/30 #specify a subnet range
deny from 198.198.* #specify an IP address wildcard
allow from all

Allow an IP address

#Allow List

order allow,deny
allow from 198.198.198.198 #specify a specific address
allow from 198.198.198.198/30 #specify a subnet range
allow from 198.198.* #specify an IP address wildcard 
deny from all

Disable directory browsing
For security reason it is always better to disable directory browsing so that people won’t know what files you have. The following code will do so.

Options All -Indexes

Adding MIME Types
If your server is not set up to deliver certain file like MP3 or SWF properly then you can add the MIME type for those through .htaccess.

AddType application/x-shockwave-flash swf

Change your default directory page
Through DirectoryIndex you can change your default landing page of your website. The default landing pages are index.html, index.php, default.php etc. But if want to change it to some other page then please use the following code.

DirectoryIndex filename.html

Protect .htaccess files

<files .htaccess>
order allow,deny
deny from all
</files>

Protect php.ini file

<files php.ini>
order allow,deny
deny from all
</files>

Create custom error pages through .htaccess file

This is always a best practices to create your own error page rather showing the host default page. You can use your own custom error pages for any know error like 404 – page not found, 500 – Internal Server Error etc.
It can be simply done by adding the following code to your .htaccess file.

ErrorDocument errornumber /file.html

1. 404 – page not found

RewriteEngine On
ErrorDocument 404 /404.html

2. 500 – Internal Server Error

RewriteEngine On
ErrorDocument 500 /500.html

3. 403 – Forbidden

RewriteEngine On
ErrorDocument 403 /403.html

4. 400 – Bad request

RewriteEngine On
ErrorDocument 400 /400.html

5. 401 – Authorization Required

RewriteEngine On
ErrorDocument 401 /401.html

You can also redirect all error to single page. like

RewriteEngine On
ErrorDocument 404 /404.html
ErrorDocument 500 /404.html
ErrorDocument 403 /404.html
ErrorDocument 400 /404.html
ErrorDocument 401 /401.html

Using .htaccess file to change the URL (URL ReWriting)

Must Read : Using .htaccess file to change the URL (URL ReWriting)

The Apache Sever’s mod_rewrite module gives you the ability to change the URL or redirect the URL transparently without displaying it to the user.
For example:

http://wearecoders.net/product.php?pid=10

to
http://wearecoders.net/products/10

OR

http://localhost/testing/index.php    TO     http://localhost/testing/home.php

Such type of URL Rewriting is very helpful for Search Engine Optimization (SEO).
.htaccess file is created to Rewrite the URL etc. It can be used to perform many functionalities redirect URLs, clean dirty, you can create password protected directories, and many many more… But in this tutorial, we’ll discuss only about the URL Rewriting (URL Redirecting).
To use mod_rewrite, you set the link text you want to server to match and the original URLs. The original URLs will be redirected to the link text you set.
To use .htaccess file in your project mod_rewrite should be enabled. You’ve to enable it manually if you are working locally. If you are using WAMP/XAMP the goto WAMP-> Apache->Apache modules -> mod_rewrite… If you are not using WAMP/XAMP you can google about it..
Lets Start the Basic Example.
You have the url http://localhost/test/index.php and you want to change it with http://localhost/test/index.html
to do this, open notepad, and save the file in your project directory with the name .htaccess
Note: select All files from save as type while saving the .htaccess file..
You can enable Rewriting by including this line in the file..

we’ve done…
Now open the url http://localhost/test/index.html..

There are three special characters in there.

  • The caret, ^, signifies the start of an URL, under the current directory. This directory is whatever directory the .htaccess file is in. You’ll start almost all matches with a caret.
  • The dollar sign, $, signifies the end of the string to be matched. You should add this in to stop your rules matching the first part of longer URLs.
  • The period or dot before the file extension is a special character in regular expressions, and would mean something special if we didn’t escape it with the backslash, which tells Apache to treat it as a normal character.

Little Complex
Now we get on to the really useful stuff. The power of mod_rewrite comes at the expense of complexity. If this is your first encounter with regular expressions, you may find by googling about Regular Expressions

Using regular expressions you can have your rules matching a set of URLs at a time, and mass-redirect them to their actual pages. Take this rule;

This will match any URLs that start with ‘products/’, followed by any two digits, followed by a forward slash. For example, this rule will match an URL likeproducts/12/orproducts/99/, and redirect it to the PHP page.

There are plenty of rewriting rules that can be applied..

That’s it. I hope this is really cool one. Thanks for visiting,. Keep in touch with us for more tutorial.