WSO Request - Html Website Security - For all you technical geniuses out there ...
I've been meaning to write this request for a while, and another thread on the forum today got me thinking again.
I am about to start running some very simple html-only minisites - just a squeeze page, sales page, the usual terms and disclaimer pages etc. Using ejunkie, paypal, osticket. No contact forms on the site. I made the sites myself in Kompozer using a simple template.
I keep hearing about people's sites getting hacked - and although I know nothing is ever 100% safe - I want to set things up right from the start to lessen my chances of being hacked.
In particular, I don't want bots or other nasties getting onto my sites and silently/invisibly squatting there, infecting customers who visit my site, taking the email addresses they put into my aweber form or osticket, or anything else. This is the kind of thing I could not tell is happening just by visiting my sites & checking to see if they look OK.
There have been lots of useful tips and suggestions here on the Warrior Forum - but what would be really useful is a comprehensive, authoritative instruction manual that covers everything I need to know.
I did start a thread before & people kindly gave me some great tips ... but I keep hearing about new things I should be doing - and I wonder how much I just don't know about because I haven't happened to stumble on it yet!
I don't want to know too much background, but I would love detailed, step-by-step how-to instructions on making my site as hacker-proof as possible.
There are already products out there that deal with securing a wordpress site or blog. But there's a big gap in the market for small html sites run by non-techie people like me.
Here's a list of what I'd like covered in a WSO for securing html sites - something that takes all these kinds of questions, and turns them into a fast, easy, action plan for a non-techie site owner:
- How to make sure all my products for customers such as pdfs, mp3's, software, documents, etc are totally spyware/virus free before I upload them to ejunkie as product. I have mcafee antivirus, anti-malwarebytes, webroot spy sweeper - but is this enough?
- How to make sure all my permissions, folders, users etc are set up correctly - exactly what permissions am I supposed to put on what folders?
- Robots.txt - I have been told to write a file telling robots.txt what NOT to look at - a hacker's dream. What should I do instead?
- Should I put a blank index file in each folder? Or modify my .htaccess file in the root directory to disallow auto-indexing? OR make edits to my 404 page that will show up if they go to the index.html?
- Is it possible to set permissions so that perhaps only my IP can make any changes to my html website, period?
- Should I use an ssl certificate on my sites?
- Should I use something like rkhunter or acunetix, and what do I do if they find things?
- What about a right-click stopper like html-protect, does this offer hacker protection? ... what is the best software to protect source code ...
- I understand I should use only ssl when I am doing ftp - what is the best ftp software to do this and what are the settings I should use?
- Exactly what logs and bug reports should I check, and how to do it, and how often?
- What other checks do I need to make on my sites and how can I automate it to take the least amount of time?
- All the other stuff that I should know about, but don't!
If anyone else might like a WSO like this for html-only sites (not Wordpress as that's already covered), maybe add your ideas too?
Thank you!
Just when you think you've got it all figured out, someone changes the rules.