This is my first contracted website i am developing in fact it i about a 100 % days work from completion. I am deeply worried about the security of everthing. The worst thing which could happen to the site is merely leave a loophole also it gets effectively destroyed as a consequence of an error at my part.
So this thread is about identifying safety holes and what i could do to stop them before the site goes stay. I am not looking for coding, its more general security information.
My concern now is with all the safety and security on the site. It is built on top of a phpbb2 forum and also the website uses the member system in the forum to hold everything integrated. We’ve also used that forums user groupings to assign people permissions. At the moment i felt this is more secure than looking to write something personally. Because i am using an existing user authentication system which is in the forum i feel confident that this will likely be ok.
The 2 key concerns i can have are attacks through the inside and attacks on the outside.
The site is for a good up and approaching gaming clan as well as my client is adamant that every clan members can certainly post materials to the main site. This means that they will have kid access the admin panel.
We’ve limited what they might access, i have also stopped them from being able to edit and delete content on the website. This means which should some become disgruntled the worst they could do is place something offensive, they won’t have the capacity to modify or erase any thing.
I really are unable to think of a healthier way to protect alongside this. If anybody has any thoughts feel free to help recommend something.
After i say outside setting up by people who definitely have member access and cannot wind up in the admin cell. I am very confident within the security of the admin panel and seen that the solely way an unauthorized user could get in is by receiving the username and password of your existing account with the right privileges.
My principal interest is with kinds. Are there virtually any major potential problems i always should know about when it comes to putting data to the database Whenever a could someone drop some light on what the potential damage could well be if i miss out something.
I thanks a ton in advance for any help given on this topic
phpBB itself includes a reputation of insecurity (potentially unjustified; but there was clearly a string connected with critical security issues which are widely publicized several months ago). Then again, I do agree that will probably be more secure than somebody you (or I) could develop in the short timeframe without getting a lot of arranging. I’m actually receiving some books about the topic of web security because it is really so important.
Inside of attacks: only assign trust to members which deserve it. Nobody but you should be able to access the admin control panel. I trust the moderators right here, but there’s oh dear they’ll ever obtain access to the admin CP even general health could accidently press a wrong hyperlink, or if its account gets compromised, the entire website is implicitly compromised.
Exterior attacks:. htaccess using mod_user_auth or maybe whatever it’s referred to as all protected instances the site. With vBulletin, you can change the specific directories of the particular mod and admin CPs, so if phpBB is able to do that, then practice it. Require complex passwords (for case in point, 8 or a lot more characters, mixed event, numbers, symbols, not really dictionary words, and so forth. ) from most trusted users.
Bear in mind that the weak point aren’t the application, even so the system on which it resides. If somebody gets admission to your MySQL/PostgreSQL/whatever database, it doesn’t topic how secure phpBB is usually. Turn off any unnecessary services, make use of very complex passwords, don’t allow remote connections towards the database, turn off all unnecessary FILE TRANSFER PROTOCOL accounts and, if at all, require a whitelist of IPs for connecting to FTP, and so forth.