Here we are going to see some aspects of the overall security of web applications that are necessary to consider, which you often ignore or forget for your safety, please read this statement.
Customers who have simple HTML pages without MySQL databases and do not have as php and Asp programming, point of failure or potential vulnerabilities greatly diminish.
Outdated Web Application Vulnerabilities
Most customers who install php web applications of online store like Oscommerce, ZenCart, phpBB forums, content management systems like Joomla, Mango or photo albums as Coppermine and WordPress type blogs, among others, forget to periodically update their web applications to the latest versions. This is a serious security flaw. The vast majority of the time nothing happens, but the possibility of being violated and there is real.
Most attacks today are web-based and 95% of the attackers take advantage of vulnerabilities in these applications. If your web applications are not updated to the latest versions your domain is at risk of being compromised.
What patterns can an attacker attempt to access a website?
Most made to auto-attacks IP ranges known directories looking web applications on domains and web launches attacks injection of malicious code that exploits unpatched security holes in those applications.
What the attacker can get?
It depends on the type of attacker. In most cases scheduled auto-attacks are scripted.
The most common pattern is the one with violating the application to some extent and is often upload files or scripts that make any domain directory to send spam then letting illegal content on the web that can be used for downloading by other users.
They can also use their website for fraud and lure customers from other institutions: banks, online trading companies… With the risk of being blacklisted, demanded by these entities or injury that could mean for your business image.
How can you protect your web applications?
Update them frequently. The developers visit and download and install the new versions. This action is the simplest and most recommended in all cases.
For example, if you use the phpBB forum and have a version without upgrading for more than one year is a matter of time that an attacker attempts vulnerably. This program is the most targeted of all.
To update forum, you should have to visit the official website of phpBB. If you cannot update your application, ask your provider.
Change keys frequently
Hide the version of your web application (it usually shows in the footnotes). This is difficult for the attacker to know the version of your applications and vulnerabilities that version has.
Your application should be compatible with the way PHP safe_mode option: On and register_globals PHP option: Off
Avoid having to use directories and web files writable for all (777). Never let the installation finish writable installation files for everyone. This is a potential security flaws most serious web application.
In the file uploads from their web applications, make sure your application only allows uploading files with extensions harmless as mp3’s or gif’s and verify that they really are. Do not allow such .php files to be uploaded.
You can place an .Htaccess in the root of httpdocs all constrained to fortify the security of your site.
We recommend application security experts to conduct audits and application security of their code.
The web hosting companies protect the safety of their customers in various layers and levels, from the physical and logical security, through kernel protection levels, physical and software firewalls to the level of services like apache and programming environments such as php. In a specific aspect of web applications, you cannot protect applications that are not updated to recent versions individually. What if you actively use modules like mod_security is to defend the common attacks and rules specific to general and specific applications that are obtained from sites like http://gotroot.com.
You can use additional preventive applications of automatic detection of intruders as OSSEC and restricted operating environments php as suPHP or phpsuexec. In shared servers it is more difficult to create general policies as php environments for all users due to the different requirements of customer. If you want a more direct control over the policies and environments, I would recommend you to always use a dedicated server.
Paul Lopez, a technology writer and sales & marketing executive at bodHOST.com, a cloud & dedicated server hosting company based in New Jersey.