Monday May 18th, 2009 in Security Tutorials
AttentionThis post is an archived post. This means it is old or has been archived for rewriting in the near future. Please be aware that the contents of this article or page may be out of date. If you need assistance be sure to leave comments and our community can help you.
Step One: Don't be so ObviousIncorrectly assumed to be too blatant to be a security update, being creative with file names and folder names is one of the best ways to drastically improve your website's security. Unlike the other four steps, this step requires zero work. No file editing, no password setting, nothing; just choosing an original name for a private folder. For example, it's incredible just how many /admin/ and /admin.php pages there are on the internet. Every one of these files is screaming to be played around with. People don't outright link to these pages, but it doesn't take a genious to presume that an admin login might be located at /admin.php. The first place anybody is going to look will be at these two addresses. Let's have a little browse around for what I'm referring to. I've got a dozen random sites open at the moment from various genres. Trying to load /admin/ and /admin.php on every website returned five hits. That means that five of the twelve sites I have open have now got their admin login exposed. If the folder names were something creative and random, I wouldn't have found them. Rather than /admin/, how about calling your folder /monk3y900x/? A hacker wouldn't look within a folder called /monk3y900x/ for an admin login. This won't stop people ever finding your login, but already, with the slightest change to the address, we've lowered the chances of somebody finding it significantly. For added security, we can even throw in some symbols as well. Symbols make it that much harder to guess URIs because of the millions of possible combinations. So rather than having a completely obvious address, like /admin.php, we've got a completely random string like /mo$nk3#y90@0x/. To take being creative with names even further, be sure not to name files within the admin area names such as edit.php or delete.php. If somebody does manage to find your admin panel, they'll definitely look there. Replace these filenames with something equally as random. Be sure to write them down, though, because it will get confusing after awhile. It's well worth it, though. So rather than /admin/admin.php, we're now using something that looks like the following:
Step Two: Change is GoodKeeping your folder names different is a great way of ensuring anybody who has gained access recently won't be coming back. It's like changing passwords; if somebody hasn't guessed your password, there's perhaps no reason to change it, yet everyone still does. It's a way of ensuring you keep would-be-hackers on their toes and constantly guessing what your folder name might be. There is an exceptionally easy method of setting up your admin area so that you can change the folder name at any time you like. Five minutes spent changing links within your admin area will save your hours of recovery time down the line when a hacker decides to have a play around.
How to Setup Files to Change Folder at AnytimeCreate a folder anywhere on your website with a completely random name. You can go absolutely nuts with this; the longer and more complex, the better. Make sure that it makes zero sense and make sure it's at least twenty or more characters long with a mixture of symbols, numbers, lowercase and uppercase letters. Here is an example:
It's vital to remember not to link to any of your administrator panel files anywhere on your public pages or include its path anywhere that will be visible after parsing. This will stop search engine spiders crawling to your admin login and will stop hackers from searching your source and finding the path. Essentially, anything that's public should not be put in a private folder. Files like Stylesheets and images being used on your pages should not be kept in such a folder. Using PHP's include() is okay, however, because it does not display the URI anywhere after parsing. You can take this a step further and turn all PHP Error reporting off. This will mean that should something on one of your pages fail to load, the URI of your folder will not be shown in the error message. On the same note, be sure not to link to any pages from within the administrator panel. More and more people are running tracking scripts with referrer functions on which will happily display the URI to your admin panel as the referrer.
Step Three: Hiding your Addresses... SmartlyIt's important not to trust anybody with your private folders. Not all malicious damage done to websites is intentional. People completely innocently browsing around can sometimes cause harm without even being aware they're doing so. Limiting access to your private folders to you and you alone will ensure that only you can screw your website up. If you screw your site up, chances are you'll know full well what you did and be able to fox it. Don't link to any private folders nor link other people to private folders. If you have to link people to your admin folder for them to edit pages themselves, create a new folder with limited database access. Give them another folder to play around in so that they're not checking out your private folder and so they don't know the link to the absolute root of your admin panel. It seems pretty obvious, but it's amazing how many people link to their admin pages unintentionally somewhere where a crawler can go. If a search engine crawler can get there, so can a hacker. Be prduent and link nobody.
Never ever use Robots.txt to Block AccessIncredibly, some people use rules in robots.txt to stop search engines browsing to their admin area. This is an incredible piece of stupidity that is exposing every page you're trying to keep private. Search engines usually won't even listen either, that's the ironic thing. If your robot.txt contains a code similar to the following:
Step Four: Be Smart and Fool HackersThis is my personal favourite step and one I'm very pleased with thinking up. It's a brilliant method of keeping hackers out. We're going to trick them into thinking that our admin login doesn't actually exist. How on earth can we do this? Surely if they find our freakishly long link they'll know they're onto a winner and probe around? Yes, until we do the following:
Setting up a Red Herring Error PageOpen any random page on your website that does not exist. View the source and copy this into a file. Save it as index.html. Upload this file to your administrator login folder. When somebody tries loading the admin page, they'll get a copy of the 404 error page your site is running. If somebody is trying a variety of addresses to load your admin login, they'll assume they've stumbled upon another incorrect guess and move along. What they don't know is they're actually loading index.html and viewing a replica of your 404 error page. We use index.html because this page would load before any other index file present.
Be sure to keep this page up-to-date with your current 404 error page. Nothing says "I'm hiding something!" more than an out of date 404 error page. By keeping it the same as your real 404 error, the illusion will be maintained that they have in fact found a dead folder.