Security tips to protect your website from hackers

Now a days this is a common issue with the websites is that they are getting hacked or malware affected. Everyday millions of website are getting hacked and blocked by Google. In many cases the hacker or malware add malicious codes in your HTML or PHP files, edit your .htaccess file, add or edit your MySql database, some time even they delete all records from database tables by using truncate table command. Also they uploaded files to web server. How is it possible to upload files, editing database or changing files without knowing the passwords? Yes, this is possible for hackers, because the they are are the best.
The following are few of my findings to stop hacking, but the hackers can say better how to protect them..

Protect through .htaccess file
.htaccess file contains the configuration statements/ commands to customize the Apache Web server as per user requirement.
Disable php global
Some web server allow user to change php settings through .htaccess file, if your host provides this option then you can disable php global through .htaccess file. Write down the following code in the first line of your .htaccess file. If you see 500 internal sever error after adding the code, then remove this code from your .htaccess file.

php_flag register_globals off

Turn off Server Signature
It is better to turn off your server information, so the hacker will get less information about your server.

Disable Directory Listing
This is a best practices to disable your directory listing. If your fancy indexing is enable then it should also disable. Fancy indexing is used to display file size, type modified date etc.

Opptions -Indexes
IndexOptions -FancyIndexing

Deny access to Directories
You can create a separate .htaccess file and upload it to those folders which you want deny access.

Order Deny, Allow
Deny from all

Disallow the access of any file
You can protect your config files and other important files by adding the following in your htaccess file.

<files .htaccess>
order allow,deny
deny from all
</files>

<files php.ini>
order allow,deny
deny from all
</files>

<files config.php>
order allow,deny
deny from all
</files>

Upload Directory
If you give option to your to upload files then there will be more possibility, your site will be hacked or affected by malware. In that case create a .htaccess file save it in your user uploaded directory.

deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>

Preventing hotlinking

RewriteRule \.(gif|jpg|js|css)$ - [F]

URL Rewrite or SEO Friendly URL
This is a best practices to use SEO friendly URL. If your page url is

 http://wwww.wearecoders.net/test.php?id=6 

Then the hacker can easily enter into your database through id, so you can change your URL to something like this

http://wwww.domain.com/test/6/
or
http://wwww.domain.com/test-6/

So your final .htaccess file will look something like this

php_flag register_globals off 
RewriteEngine on
RewriteBase /
ServerSignature Off
RewriteRule \.(gif|jpg|png|js|css|php)$ - [F]
Opptions -Indexes
IndexOptions -FancyIndexing

/* URL Rewrite code goes here */

<files .htaccess>
order allow,deny
deny from all
</files>

More .htaccess Examples

Deny/Allow Certain IP Addresses
Block an IP Address

#Deny List

order allow,deny
deny from 198.198.198.198 #specify a specific address
deny from 198.198.198.198/30 #specify a subnet range
deny from 198.198.* #specify an IP address wildcard
allow from all

Allow an IP address

#Allow List

order allow,deny
allow from 198.198.198.198 #specify a specific address
allow from 198.198.198.198/30 #specify a subnet range
allow from 198.198.* #specify an IP address wildcard 
deny from all

Disable directory browsing
For security reason it is always better to disable directory browsing so that people won’t know what files you have. The following code will do so.

Options All -Indexes

Adding MIME Types
If your server is not set up to deliver certain file like MP3 or SWF properly then you can add the MIME type for those through .htaccess.

AddType application/x-shockwave-flash swf

Change your default directory page
Through DirectoryIndex you can change your default landing page of your website. The default landing pages are index.html, index.php, default.php etc. But if want to change it to some other page then please use the following code.

DirectoryIndex filename.html

Protect .htaccess files

<files .htaccess>
order allow,deny
deny from all
</files>

Protect php.ini file

<files php.ini>
order allow,deny
deny from all
</files>

Create custom error pages through .htaccess file

This is always a best practices to create your own error page rather showing the host default page. You can use your own custom error pages for any know error like 404 – page not found, 500 – Internal Server Error etc.
It can be simply done by adding the following code to your .htaccess file.

ErrorDocument errornumber /file.html

1. 404 – page not found

RewriteEngine On
ErrorDocument 404 /404.html

2. 500 – Internal Server Error

RewriteEngine On
ErrorDocument 500 /500.html

3. 403 – Forbidden

RewriteEngine On
ErrorDocument 403 /403.html

4. 400 – Bad request

RewriteEngine On
ErrorDocument 400 /400.html

5. 401 – Authorization Required

RewriteEngine On
ErrorDocument 401 /401.html

You can also redirect all error to single page. like

RewriteEngine On
ErrorDocument 404 /404.html
ErrorDocument 500 /404.html
ErrorDocument 403 /404.html
ErrorDocument 400 /404.html
ErrorDocument 401 /401.html