Identify Design
100% Giraffe Approved

Searching for all articles in the 404 page category...

Avatar of Woody

by Woody

Archive: Keeping Private Folders Private

Monday May 18th, 2009 in Security Tutorials


This post is an archived post. This means it is old or has been archived for rewriting in the near future. Please be aware that the contents of this article or page may be out of date. If you need assistance be sure to leave comments and our community can help you.
When it comes to web design, there's a lot of important factors we have to take into consideration. What sort of design do we want? How do we want our navigation to work? How will people find our pages or browse around our site? All these questions are perfectly valid, yet for some reason the most important question is often one of the last few asked; How do I make my site secure and keep the nasty people out?
Security is no loosely talked about subject. A quick search on Google for "improve site security" returns nearly quarter a billion results. When people start to learn web development, they forget that the integrity of their projects is a determining factor in how you create.

An increasing number of people are using folders on their web site, or a friend's website, to store sensitive, private and personal files. All dynamically generated content should do so from include files within a private folder as well for added security. Keeping these folders private and hidden, so that nobody knows they exist or knows how to open them, will ensure your personal, private or sensitive files are kept safe.

With a few simple changes to our methods and a couple of clever tricks, we can keep private folders private and make sure nobody even knows they exist. This tutorial is laid out in four steps for ease of reading; there is no chronological order to the steps. In this tutorial, we'll be using an Administration Panel Login as our example.

Step One: Don't be so Obvious

Incorrectly assumed to be too blatant to be a security update, being creative with file names and folder names is one of the best ways to drastically improve your website's security. Unlike the other four steps, this step requires zero work. No file editing, no password setting, nothing; just choosing an original name for a private folder.

For example, it's incredible just how many /admin/ and /admin.php pages there are on the internet. Every one of these files is screaming to be played around with. People don't outright link to these pages, but it doesn't take a genious to presume that an admin login might be located at /admin.php. The first place anybody is going to look will be at these two addresses.

Let's have a little browse around for what I'm referring to. I've got a dozen random sites open at the moment from various genres. Trying to load /admin/ and /admin.php on every website returned five hits. That means that five of the twelve sites I have open have now got their admin login exposed.

If the folder names were something creative and random, I wouldn't have found them. Rather than /admin/, how about calling your folder /monk3y900x/? A hacker wouldn't look within a folder called /monk3y900x/ for an admin login. This won't stop people ever finding your login, but already, with the slightest change to the address, we've lowered the chances of somebody finding it significantly.

For added security, we can even throw in some symbols as well. Symbols make it that much harder to guess URIs because of the millions of possible combinations. So rather than having a completely obvious address, like /admin.php, we've got a completely random string like /mo$nk3#y90@0x/.

To take being creative with names even further, be sure not to name files within the admin area names such as edit.php or delete.php. If somebody does manage to find your admin panel, they'll definitely look there. Replace these filenames with something equally as random. Be sure to write them down, though, because it will get confusing after awhile. It's well worth it, though.

So rather than /admin/admin.php, we're now using something that looks like the following:

The bottom line is, to be able to access your database and play around with your site, the perpetrator needs a way in. Having administrator panel login files with names such as "admin.php" or "login.php" make it exceptionally easy. Don't make it too easy for them by using those names; use something unique and random, or even a randomly generated string.
A superb rule of thumb is to treat your filenames as passwords. The longer they are and the more random they are, the more difficult they become to crack.

Step Two: Change is Good

Keeping your folder names different is a great way of ensuring anybody who has gained access recently won't be coming back. It's like changing passwords; if somebody hasn't guessed your password, there's perhaps no reason to change it, yet everyone still does. It's a way of ensuring you keep would-be-hackers on their toes and constantly guessing what your folder name might be.

There is an exceptionally easy method of setting up your admin area so that you can change the folder name at any time you like. Five minutes spent changing links within your admin area will save your hours of recovery time down the line when a hacker decides to have a play around.

How to Setup Files to Change Folder at Anytime
Create a folder anywhere on your website with a completely random name. You can go absolutely nuts with this; the longer and more complex, the better. Make sure that it makes zero sense and make sure it's at least twenty or more characters long with a mixture of symbols, numbers, lowercase and uppercase letters. Here is an example:
Next, we need to make sure every link within our admin panel is pointing relatively to files located within the current folder. To do this, we would make sure there's no starting slash in any of the links. When loaded in your browser, this will make all links point to a file of that name in the current folder. For example, an editing link would look like this:
<h3>Edit Pages:</h3>

<a href="edit.php">Click here to Edit Pages!</a>

Without the slash at the start it will point to the same folder the file you're browsing is in. Because we've not defined a folder, we can change our folder to anything we like and still maintain the structure of our admin area. Whatever the folder is changed to is where these links will point.

You know what that means, of course. It means that we can change the name of our admin folder without having to edit any files. The odds of somebody guessing a completely random and complex URI like the above example are pretty slim. By renaming our folder regularly to somthing equally as random, we drastically decrease the odds of somebody loading your login and make sure that if somebody did, somehow, open this folder they'll not be going back to it.

It's vital to remember not to link to any of your administrator panel files anywhere on your public pages or include its path anywhere that will be visible after parsing. This will stop search engine spiders crawling to your admin login and will stop hackers from searching your source and finding the path.

Essentially, anything that's public should not be put in a private folder. Files like Stylesheets and images being used on your pages should not be kept in such a folder. Using PHP's include() is okay, however, because it does not display the URI anywhere after parsing. You can take this a step further and turn all PHP Error reporting off. This will mean that should something on one of your pages fail to load, the URI of your folder will not be shown in the error message.

On the same note, be sure not to link to any pages from within the administrator panel. More and more people are running tracking scripts with referrer functions on which will happily display the URI to your admin panel as the referrer.

Step Three: Hiding your Addresses... Smartly

It's important not to trust anybody with your private folders. Not all malicious damage done to websites is intentional. People completely innocently browsing around can sometimes cause harm without even being aware they're doing so. Limiting access to your private folders to you and you alone will ensure that only you can screw your website up. If you screw your site up, chances are you'll know full well what you did and be able to fox it.

Don't link to any private folders nor link other people to private folders. If you have to link people to your admin folder for them to edit pages themselves, create a new folder with limited database access. Give them another folder to play around in so that they're not checking out your private folder and so they don't know the link to the absolute root of your admin panel.

It seems pretty obvious, but it's amazing how many people link to their admin pages unintentionally somewhere where a crawler can go. If a search engine crawler can get there, so can a hacker. Be prduent and link nobody.

Never ever use Robots.txt to Block Access
Incredibly, some people use rules in robots.txt to stop search engines browsing to their admin area. This is an incredible piece of stupidity that is exposing every page you're trying to keep private. Search engines usually won't even listen either, that's the ironic thing. If your robot.txt contains a code similar to the following:
User-agent: Googlebot

Disallow: /7fR8f9$8g$%Y&8gGRj$&disF9g5Y8G$y9hRh9fdf4#&)#d$dhd9$/

... then absolutely anybody who decides to load robot.txt can see it too. You can set a .htaccess or http.conf rule to prevent access to robot.txt, but it's still a liability. So long as there is a trace of your URI somewhere in a file, somebody could find it.

Let's try looking for robot.txt on the twelve sites I was browsing around for admin logins earlier. Of the twelve sites, eight of them have a robot.txt file. Two of them are telling search engines not to load their admin login. One of the two sites were sites I found the login too; this puts our total exposed count up to six.

Never tell a robot.txt file not to go to an admin login. This is one of the worst things you can do to protect your login. Spiders may listen and not browse those pages, but hackers will not. You might as well publish the addresses publically on every page, for all the good this does.
As outlined in step two, the best way of hiding your addresses is being creative. Blocking access in robot.txt will only achieve the opposite.

Step Four: Be Smart and Fool Hackers

This is my personal favourite step and one I'm very pleased with thinking up. It's a brilliant method of keeping hackers out. We're going to trick them into thinking that our admin login doesn't actually exist. How on earth can we do this? Surely if they find our freakishly long link they'll know they're onto a winner and probe around? Yes, until we do the following:
Setting up a Red Herring Error Page
Open any random page on your website that does not exist. View the source and copy this into a file. Save it as index.html. Upload this file to your administrator login folder. When somebody tries loading the admin page, they'll get a copy of the 404 error page your site is running. If somebody is trying a variety of addresses to load your admin login, they'll assume they've stumbled upon another incorrect guess and move along. What they don't know is they're actually loading index.html and viewing a replica of your 404 error page.

We use index.html because this page would load before any other index file present.

Be sure to keep this page up-to-date with your current 404 error page. Nothing says "I'm hiding something!" more than an out of date 404 error page. By keeping it the same as your real 404 error, the illusion will be maintained that they have in fact found a dead folder.
A simple way of doing this would be to just include your 404 error page with PHP, like so:



Obviously, if your server doesn't support URL including or you have it disabled, use your server path instead.

There is virtually no way for somebody to know they've found an existing folder. Even if they try index.html or edit.php, they'll continue to get 404 errors because we were clever in step two and gave our files random names.

This is a simple yet astonishingly effective way of keeping hackers out. It's so basic that I actually laughed when I thought of it, but it's so effective. Be sure to utilise this method if you want to heighten security to your admin area.