Since I have been doing web development, the author has often been tasked with doing security upgrades for other people’s websites. Most of the tasks I have received are for websites built through DreamWeaver CMS. Due to being attacked Cause problems like this. The author below recommends several simple and effective security practices for websites built using DreamWeaver CMS. Your corrections are welcome.
1. Change the prefix wildcard character of the database table
The prefix wildcard mentioned here does not refer to the prefix of the database table name entered during installation, but refers to the "#@_" string in the system source code.
I once saw a lot of code for directly operating the database written in a lot of unknown files on a hacked website. Among them, the operations on the table all contained the "#@_" string. If We have modified the "#@_" string in the source code, so these files with unknown origins will not work.
2. Change the background management directory name
To invade a website, hackers usually use SQL injection to crack the website administrator account and password, then log in to the backend, upload Trojans, obtain webshells, and escalate privileges until they completely control the entire website. If we can modify the name of the administrator table and the name of the website's backend management directory, hackers will not be able to crack the website's administrator account. Even if they obtain the administrator account, they may not be able to log in and give up because they cannot know the website's backend management directory. .
When modifying the administrator table name and background management directory, try not to have the admin or manager keywords, which can greatly increase the difficulty for hackers to crack. It should be noted that after modifying the administrator table name in the database, the corresponding table name in the source code must be modified. There are a total of 27 modifications in Dreamweaver V5.7. You can search for "dede_admin" to replace them, so I won't point them out one by one.
3. Repair database initial connection configuration file
In the data/common.inc.php file of DreamWeaver, the database connection information is recorded, and this information is in clear text and is very unsafe. Here are two ways to make it relatively safer.
(1) Add multiple variables (dozens or even hundreds). Only six of these variables are really effective, and the others are used to confuse the hacker's judgment.
(2) Encrypt data, but this requires webmasters to have certain programming skills. No matter which method is used, corresponding modifications need to be made in the database initialization class, but the first method only needs to change a few variable names, which is relatively simple.
The above three methods can play a very important role in the security of Dreamweaver CMS system, but many webmaster friends have no idea how to improve website security. I hope this article can be helpful to the majority of webmaster friends in their dream weaving website security!
A few other points that need to be noted are:
1. After the installation is complete, delete the member, special, and install folders in the root directory
2. Set uploads, images, data, and templets to be readable, writable, and not executable
3. Set include, plus, and background files (default is dede) to be readable, executable, but not writable
4. Set data/common.inc.php to be read-only
5. Turn off background watermark
6. 404 page settings
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
