How safe is your website? Did you know some of your hidden files may be visible to the public? Could someone intent on wreaking havoc hijack your site and pose as a banking institution?
These are questions not often considered by a website owner, but should be. Here are two quick and easy ways you can use to help increase the security on your site, making it less appealing to hackers.
CONSIDERATION # 1 – file list showing in open directory
By default, web servers are set to show a file named “index” when a user browses a directory or folder. If there is no file named “index”, most web servers will show the contents of the directory. This directive may open your website up to unwanted viewing.
Consider this – do you store your image files in a folder called graphics or images? You aren’t alone. It is common practice for web designers to keep all of the graphics files in a sub-directory for ease. However, if the web server for that account does not have restrictions on what to display, all files in that directory may be exposed by simply pointing a browser to the URL of that folder.
Now, for an images folder that may not be critical. Let’s imagine we are working in a directory that contains member applications or PDF forms or something with more importance. Suddenly you can see where there may be significant risk to not securing directories.
Here are two methods you may use to close down your directories and prevent the files from being displayed in folders where no index file exists.
Method #1 – Add a line to your htaccess file (Unix/Linux)
If you have access to and are familiar with the .htaccess file, this is the best option. Add the following line to your .htaccess file to prevent a directory from showing its contents when no index file exists.
Options -Indexes
When a user attempts to view a directory, they will instead see a blank page or a 404 error, depending on your server settings.
Method #2 – Upload a blank index file
If you are unsure about modifying the .htaccess file and/or you do not have access to it, this is the second best option. It is a bit more tedious, but a safer option than meddling around with the file that controls your web server behavior and could potentially break your website. Simply create an HTML file and name it index (.htm or .html). You may leave the content blank or enter something such as “This page intentionally left blank” or another creative message. Upload this file to any folders that do not have an index page. When a user attempts to view the directory, they will instead see this blank page.
CONSIDERATION # 2 – incorrect permissions on file folders
In some instances, you will need to modify the permissions on a directory to allow the server to write to a file or execute a script. Changing file/folder permissions should only be done by someone who understands the settings and possible consequence of making such changes.
Changing a folder to 777 access permits anyone to read, write and execute that folder. This is a huge security risk. Potential hackers are constantly combing the Internet for folders to exploit. A folder with incorrect permissions may allow hackers the ability to upload fraudulent scripts (most often fake banking pages to collect sensitive data from unaware uses).
If you are installing a script that directs you to make changes to your folder permissions, be sure the script is from a dependable source. If you are unsure, get a second opinion or just don’t do it!
