How can a website built using DreamWeaver prevent malware from being hacked?

DedeCms, as one of the most widely used CMSs in China, often has vulnerabilities. Every vulnerability has a huge impact, ranging from being hung with advertisements and pop-up boxes, to even causing the server to become a Meat machine, valuable data is lost. So is there any way to improve the security of DedeCms?

Let’s first take a look at the reasons why PHP programs often have loopholes. In fact, it is determined by the PHP program itself.

PHP has low reusability, resulting in a complex program structure and redundant code everywhere. This not only facilitates the generation of vulnerabilities, but also affects the repair of vulnerabilities;

PHP programs are easy to get started with and are generally open source , allowing many people to directly read the code and search for vulnerabilities; in this way, a steady stream of vulnerabilities are discovered, repaired, and discovered...

The current popular PHP system is accustomed to using files as caches, which requires open file write permissions, which undoubtedly becomes the weakness of the PHP system.

The current attack methods against PHP systems, in addition to the "injection" attacks that have rarely appeared, most of the attacks are through a certain vulnerability in the system, inserting a sentence Trojan into a writable file. method to obtain the shell.

Website security has always been a combination of server configuration, file permission control and website programs. Today we will mainly look at how to improve security by improving the DedeCms website program. "Executable files are not allowed to be modified, and writable files are not allowed to be accessed." This is the fundamental principle of website permission control. Website programs can do a lot of work in "writable files are not allowed to be accessed".

Take DedeCMS as an example. We can protect it in the following ways.

1. Rename the data directory under the root directory, or move it outside the website directory.

The data directory is the place where most evil and evil practices are hidden, and the system often needs to go there. Write data in this directory, and any file in this directory can be accessed through URL. Therefore, if you want to prevent the browser from accessing the files inside, you need to rename this directory or move it outside the directory of the website. Even if someone writes a Trojan into a file through a vulnerability, they cannot find the file path where the Trojan is located and cannot continue the attack. Because the DedeCMS program is unreasonable, the action of renaming the data directory will be relatively large. The specific methods are as follows:

a. Migrate the public content to the pub directory (or other custom directories), such as rss, sitemap, js, enum, etc. This step requires moving the folders and modifying the generation paths of these files

b. Modify the referenced program directory

Search and replace "DEDEDATA."/data/" with "DEDEDATA ."/", replace approximately fifty or sixty places;
Search and replace "DEDEDATA.'/data/" with "DEDEDATA.'/", replace approximately fifty or sixty places;
Search for "/data/ ", depending on the specific situation, the modified path is similar to: "$DEDEDATA."/" (note that the include directory and the background management directory both have data folders and do not need to be modified);

c. Modify the data folder name , and modify the value of "DEDEDATA" in the include/common.inc.php file, and then modify the template cache directory in the background system settings "Parameter Settings" to complete the modification. You can also follow this step to change the name of the data folder in the future. .

2. Rename the "dede" management directory and reinforce it

If the background is hidden, even if someone else obtains your administrator account and password, they will There is no way to log in.

In /dede/config.php, find the following line:

The following is the quoted content:

//检验用户登录状态 
 $cuserLogin = new userLogin(); 
if($cuserLogin->getUserID()==-1) 
{ 
     header("location:login.php?gotopage=".urlencode($dedeNowurl)); 
}

Recommended learning: dedecms use Tutorial

The above is the detailed content of How can a website built using DreamWeaver prevent malware from being hacked?. For more information, please follow other related articles on the PHP Chinese website!