در ام پی فور عضو شوید برای ثبت دیدگاه، اشتراک کانال ها و ویدیوها.
سرویس کودک
پیشتازمووی
Published on Jul 25, 2015
A quick video about basic Linux security. We'll be covering basic web hosting security: the most common misconfigurations and security holes (from a System Administrator's perspective) in WordPress sites.
These security tips apply to Joomla, Magento, and other content management systems as well. I'll show you how to fix the most glaring issues, which prevent a huge percentage of the security compromises I see every day.
# Core Application
incorrect file/dir permissions
-777 -- should be 775 for dirs, 644 for files except in SPECIAL cases
http://stackoverflow.com/questions/37...
http://serverfault.com/questions/3571...
running sites as root
-dave:www-data instead -- group (web server) has read, OWNER IS THE ONLY ONE WHO CAN WRITE
shared PHP/user between sites
-most hosting companies use shared hosting
-if you have one site or 23 sites, they're all running under ONE user and ONE PHP process.
-one infected site means that everything is at risk, since that site can write to other sites (and thereby cross-infect them)
web user has a shell (instead of /bin/false)
-grep www /etc/passwd -- /sbin/nologin good, /bin/bash == BAAAD
ssh with passwd login, root login enabled
-no root login from iNet.
-no password based logins. Period.
weak FTP/hosting/DNS passwords
-hosting companies that expose FTP -- scary
# Administration
people don't update their CMS installations and plugins
people run huge amounts of plugins
# 3rd-party
badly engineered plugins/themes/etc.
vulnerable 'custom' code -- uploaders with no authentication, etc.
malvertising
