First steps to secure your site after uploading your files to the server

[fs_tigre]

Hi,

Let’s pretend for a moment that I just created a new web site (static site with a contact form) uploaded all of my files to the server, what would be the first thing I should do after my files have been uploaded to make the site more secure?

What would be the basics steps to secure my site after uploading all of my files? 

What basic security measures should be taken for every site regardless of the size?

Thanks

[SteveW]

In a static HTML site with a contact form, your weak points are your passwords, viruses on your PC, and the contact form. 

The first two are easy: install a good antivirus program on your PC, and only use passwords that are totally random and at least 12 characters long.

The contact form is not easy. It's not static. When someone submits the form, the data is handled by a program of one kind or another, called a "form handler script". Many of the available free form handler scripts have exploitable security weaknesses. 

The most secure workaround is to just put your email address on the page and let people email you. Put spaces or other characters in the email address so spambots don't harvest it and start sending you spam.

The forms handler I recommend is a free Perl script called "NMS FormMail". A configuration guide is at http://25yearsofprogramming.com/blog/2008/20080518.htm .

If that script cannot do all the things you want, then you'll need to find a form handler script that is secure. For each one you consider, check its security history at http://secunia.com/advisories/search/ .

Writing a secure forms handler script yourself isn't easy. At a minimum, read about how to validate user-submitted data at http://25yearsofprogramming.com/blog/2011/20110124.htm, but if you are not already familiar with the issues involved, you'll need to do more reading than that.


These issues are covered by the best practices listed at http://25yearsofprogramming.com/blog/20070705.htm#website-security-precautions
which are intended for websites of any size.

[fs_tigre]

Thank you for the good information.

So, if I only have a static web site with NO contact form or server scripts, clean computer and I’m using a super strong password the site could somehow be considered secured (I know nothing is 100% secured)?

How about using Javascript (jQuery) for enhancements of the page, can this be considered a security hole?

Thanks a lot for your help!

[SteveW]

So, if I only have a static web site with NO contact form or server scripts, clean computer and I’m using a super strong password the site could somehow be considered secured?

Yes, that is a very secure configuration.

How about using Javascript (jQuery) for enhancements of the page, can this be considered a security hole?

As I understand it, jQuery is for client-side scripting, and client-side scripting does not create security holes for your website.

However, if you use any client-side script to send XMLHttpRequest requests back to your site, and if the data is handled by a server-side script, then that could be a security hole.

The key point is that any server-side script that receives any data from your users can be a security hole.

As long as your site is configured to only send pages and data out, then it is very secure.

[fs_tigre]

Awesome!

As long as your site is configured to only send pages and data out, then it is very secure.

So a contact form that doesn't collect any information could be considered safe?  In other words a PHP form that only sends a message to a specified e-mail.

As always thank you for the good information.

[SteveW]

I suppose you could create a contact form with just a Submit button and no fields for the user to enter anything, handled by a PHP script that only sends to your email address (hard-coded in the script) a simple message that says "Somebody clicked the Submit button". That would be secure, but the idea made me laugh a little bit because how much use would that be?

If you allow the user to enter anything in a box, even their name and email address, that can be the source of a security hole. And so can any input fields, even "hidden" ones.

Whether it actually is a security hole or not depends on how your PHP script "validates" and uses the data.

--

You could use a somewhat similar method to put your email address on the page but still hide it from most spambots:

You'd create a  page that doesn't have your email address on it.
The page could contain a form (with no input fields) that says, "Click here to see email address."
The form should use the HTTP POST method (<form method="post">) so that the page with your email address and the one without it have the exact same URL.

When the user clicks the Submit button, the PHP code in your page would send the same page back to them, with your email address added on it. Thus, most casual spambots (crawlers that harvest email addresses) would never see the page with your email on it.

I just thought of that method, and haven't tested it. I haven't heard of anyone using it.

[fs_tigre]

Thanks a lot Steve for your help.

Sorry for the confusion when I said collecting information I was basically referring to storing data in a database , but the info you just provided is very good and it answers my question since you basically answered it with a better example.

The reason I brought the contact form is because I’m currently using Form2Mail which is a Dreamweaver (not my main editor) extension which basically generates a PHP file that contains the necessary code to send the information to a desired e-mail.   I started wondering if this code could be somehow use to exploit my site and is when I decided to contact the creators of the script (http://www.hotdreamweaver.com/) to ask them how secure the form was and they responded say that the form was secured.

This is their response, which sounds very good.

The Form2Mail script doesn't have any reported vulnerability and it doesn't use critical PHP features.

The form may be used for sending spam, but this doesn't compromise the security of the website files and can be easily avoid following the instruction in this FAQ entry:

What do you think about this? It doesn't use critical PHP features….

The form may be used for sending spam, but this doesn't compromise the security of the website files

Thanks a lot for your help!

[SteveW]

Their reply sounds good to me, too. Generally, I'd have more confidence in the commercial PHP scripts than the free ones.

I don't know for sure that this is the same product, but the name is correct and this security report looks good: http://secunia.com/advisories/product/10399/?task=advisories

it doesn't use critical PHP features

What they probably meant by this is that it doesn't use functions like system() or passthru() and some others, so that you could disable those in your php.ini for security and their script would still work.

The form may be used for sending spam, but this doesn't compromise the security of the website files

That's also correct. Most forms can be used to send spam unless you add some sort of CAPTCHA (their FAQ says they have a CAPTCHA extension available).

It is desirable for your email address to be hard-coded in the script (NOT sent as a form field), so that the only person spam can be sent to is you, which is a lot better than if it can be sent to other recipients. Their FAQ shows you how to hard-code your email address in the script. I'd strongly recommend doing that. It is not a good idea to have the recipient email address (i.e. yours) sent as a form field (visible or hidden) because it allows robots to set it to different addresses and send spam to them.

I would recommend that you NOT enable the CC to client feature, because that can be misused to send spam to other people rather than your visitor. That is, they can put any email address in the form (to receive the CC), not necessarily their own.

Just because a form can be misused to send spam doesn't mean that it puts your website files at risk. Misusing a form to send spam is a different thing from "hacking the site".

Pay close attention to their FAQ. The indications are that it seems to be a good script, but you need to be careful configuring it because some of the options could let spammers abuse the form to send a lot of spam.

[fs_tigre]

You are AWESOME!

Offtopic - How does Secunia works, do they monitor sites silently? What can Secunia used for?

I'm not expecting a detail explanation as to how it works just an over view of how it can be used.

Thanks a lot

[SteveW]

Secunia accumulates and publishes information about security vulnerabilities found in software, and they report whether each vulnerability has been patched (fixed) or not.

I don't really know how they receive their information, but they probably monitor the U.S. national vulnerability databases and also receive reports from independent software security researchers.

Whenever you are thinking about installing and using any software, one of your first steps should be to look up its name at Secunia. If there are unpatched vulnerabilities, it's best not to use the software, at least until all the vulnerabilities are fixed. If the software has a long history of leaving vulnerabilities unpatched for long periods of time, it's best not to use the software at all. Any responsible software developer should be expected to fix newly found vulnerabilities promptly.

[fs_tigre]

Thanks a lot for your help, I really appreciate it.