< Back to Introductory Topics

Security Issues Notes and Tips

Note: Members who type a wrong password must wait 2 seconds before trying to login again. Most won't notice this, as humans aren't that quick. This delay is, however, useful in hindering bots which attempt to break into an account by trying billions of randomly generated passwords until they come upon one that works. There's also a limit of 50 wrong password attempts per day, after which the account is locked for the rest of the day. This is sufficient to make dictionary attacks ineffective.

Tip: Keep your WSN reasonably up to date, don't use ancient versions. The same applies to any other scripts you're using. There will be security holes from time to time but they only tend to be exploited on a large scale after they've been fixed for months. Hackers are lazy -- the most common way they discover security holes is by doing file comparisons which reveal how the hole has been fixed, or reading notices on security sites, and then attacking the people running the pre-fix versions. Unfortunately a large percentage of users never upgrade, and so make themselves prime targets. This doesn't mean you have to update to each new release, but it's a good idea to not run anything more than six months old, and certainly a good idea to heed a security update email when it goes out.

Tip: If you're on a dedicated server you should also keep your PHP version up to date, as PHP often has security holes to fix. If on a shared host your host will take care of this for you.

Tip: Don't put code in your templates which someone gave you unless you understand the code.

Tip: Never give anyone admin access who you don't fully trust. Anyone with admin permissions can delete your website at will.

Tip: Make sure you're periodically downloading backups that your server generates. Simply keeping backups on the server won't help if a hacker is able to delete your account and the backups with it.

Template protection note: If you're worried about someone stealing your templates by grabbing files from your templates directory (or if you put any sensitive data in them for some reason), you can use an htaccess file to prevent that: http://www.webmastersite.net/forum...emplates_Visible-7252.html . You can also configure apache to hide .tpl files.