stoneage Posted February 7, 2005 Posted February 7, 2005 I want to stay at TCH. I like it here Because 1) TCH puts so much emphasis on security and good service. 2) TCH is reasonable. If a customer has a problem he/she is explained the issue and ample advice is given on how to proceed in solving the issue. My problem is that I cannot satisfy the requirement of having _always the very latest official_ version of any script . This is how I try to deal with security: I try to chooce the most secure script to start with. Some developers put more emphasis on security than others. Some forks are based on improved security. And some new scripts are built with security in mind from step one. They might not be the most popular ones - this increases security too. I do not use the scripts provided with cPanel. I personally believe that when PHP-Nuke is included then security is not at the highest level. It has an awful security record. It is very popular and thus included. - I do not want to spend days fixing a hacked site just because it is supported by cPanel. I hope I am not penalized for trying to use more secure 3rd party scripts. I make some standard security enhancements to scripts. If the script is non-standard then some standard exploits may not apply. A hacker can find easier ones to attack. I modify some meta tags and other identifiers within the confines of copyright. Many exploits apply to a given version of a script. The hacker may find the targets with a careful Google search phrase. My sites cannot be found in such a standard way. It is not 100% safe but I hope to avoid the first wave of random attacts with new exploits. To gain a few extra days to patch the script is just what I need. - A site based on cPanel included script is really visible and thus vulnerable. ---- Because of the many security and nonsecurity related modifications I find it hard to update scripts immediately. It is in my interests to update but to avoid excessive workload I may occasionally have to step over an update. - There is no such thing as 100% security in internet. Eventually one of my sites will fall victim - but I am doing my best to postpone it as much as I can. There are many ways to take security seriously. Having the most up to date version of the script is just one of them. What I outlined above is another. And there are others still. - If I got it right, the second TCH email (on need to update 3rd party scripts) may allow for this diversity. Some of us may not have the luxury of instant updates. Then we need something else instead. Any general security tips you are willing to share? Quote
Ayman Posted February 7, 2005 Posted February 7, 2005 Comment on PHP-Nuke: If you want a PHP/MySQL community website, I highly suggest Drupal (http://www.drupal.org). If you really want to run PHP-Nuke for some reason, consider that: the system is a mess, and it's full of security holes, the only pro over Drupal is that it's easier to use, and then download PHP-Nuke from the official site (http://www.phpnuke.org) and apply security fixes and patches from NukeFixes (http://www.nukefixes.com), finally, protect the admin.php page with Apache's basic auth. Make sure to update to the latest versions of PHP-Nuke and NukeFixes patches as soon as they are out. Hope this helps Quote
stoneage Posted February 7, 2005 Author Posted February 7, 2005 Drupal is on my short list for a new CMS. I have never used PHP-Nuke and hope I never will. I will have to strenghten my admin.php files. Thanks Ayman for this tip. This is a good one. Quote
TCH-Don Posted February 7, 2005 Posted February 7, 2005 Drupal is very easy to setup I think I like it Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.