Three recommended methods to enhance the security of DreamWeaver CMS

Home

Backend Development

PHP Tutorial

Three recommended methods to enhance the security of DreamWeaver CMS_PHP Tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 13, 2016 am 10:31 AM

strengthensafetydreamweavercms

Since I have been doing web development, the author has often been tasked with doing security upgrades for other people’s websites. Most of the tasks I have received are for websites built through DreamWeaver CMS. Due to being attacked Cause problems like this. The author below recommends several simple and effective security practices for websites built using DreamWeaver CMS. Your corrections are welcome.

1. Change the prefix wildcard character of the database table

The prefix wildcard mentioned here does not refer to the prefix of the database table name entered during installation, but refers to the "#@_" string in the system source code.

I once saw a lot of code for directly operating the database written in a lot of unknown files on a hacked website. Among them, the operations on the table all contained the "#@_" string. If We have modified the "#@_" string in the source code, so these files with unknown origins will not work.

2. Change the background management directory name

To invade a website, hackers usually use SQL injection to crack the website administrator account and password, then log in to the backend, upload Trojans, obtain webshells, and escalate privileges until they completely control the entire website. If we can modify the name of the administrator table and the name of the website's backend management directory, hackers will not be able to crack the website's administrator account. Even if they obtain the administrator account, they may not be able to log in and give up because they cannot know the website's backend management directory. .

When modifying the administrator table name and background management directory, try not to have the admin or manager keywords, which can greatly increase the difficulty for hackers to crack. It should be noted that after modifying the administrator table name in the database, the corresponding table name in the source code must be modified. There are a total of 27 modifications in Dreamweaver V5.7. You can search for "dede_admin" to replace them, so I won't point them out one by one.

3. Repair database initial connection configuration file

In the data/common.inc.php file of DreamWeaver, the database connection information is recorded, and this information is in clear text and is very unsafe. Here are two ways to make it relatively safer.

(1) Add multiple variables (dozens or even hundreds). Only six of these variables are really effective, and the others are used to confuse the hacker's judgment.

(2) Encrypt data, but this requires webmasters to have certain programming skills. No matter which method is used, corresponding modifications need to be made in the database initialization class, but the first method only needs to change a few variable names, which is relatively simple.

The above three methods can play a very important role in the security of Dreamweaver CMS system, but many webmaster friends have no idea how to improve website security. I hope this article can be helpful to the majority of webmaster friends in their dream weaving website security!

A few other points that need to be noted are:

1. After the installation is complete, delete the member, special, and install folders in the root directory
2. Set uploads, images, data, and templets to be readable, writable, and not executable
3. Set include, plus, and background files (default is dede) to be readable, executable, but not writable
4. Set data/common.inc.php to be read-only
5. Turn off background watermark
6. 404 page settings

Articles you may be interested in

DedeCMS (Dreamweaver) website server directory security setting experience sharing
How to enhance Linux and Unix servers System Security
PHP object-oriented introductory tutorial recommended
PHP determines the safest and most realistic solution for uploading file types
Upload FILETYPE NOT ALLOW error occurs when dedeCMS uploads images Solution
How to use constants defined by define in the program in smarty templates
How to remove ads on dedeCMS background login page
Javascript string encoding functions escape, encodeURI , encodeURIComponent comparison and analysis

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

What is the difference between absolute and idle session timeouts?May 03, 2025 am 12:21 AM

Absolute session timeout starts at the time of session creation, while an idle session timeout starts at the time of user's no operation. Absolute session timeout is suitable for scenarios where strict control of the session life cycle is required, such as financial applications; idle session timeout is suitable for applications that want users to keep their session active for a long time, such as social media.

What steps would you take if sessions aren't working on your server?May 03, 2025 am 12:19 AM

The server session failure can be solved through the following steps: 1. Check the server configuration to ensure that the session is set correctly. 2. Verify client cookies, confirm that the browser supports it and send it correctly. 3. Check session storage services, such as Redis, to ensure that they are running normally. 4. Review the application code to ensure the correct session logic. Through these steps, conversation problems can be effectively diagnosed and repaired and user experience can be improved.

What is the significance of the session_start() function?May 03, 2025 am 12:18 AM

session_start()iscrucialinPHPformanagingusersessions.1)Itinitiatesanewsessionifnoneexists,2)resumesanexistingsession,and3)setsasessioncookieforcontinuityacrossrequests,enablingapplicationslikeuserauthenticationandpersonalizedcontent.

What is the importance of setting the httponly flag for session cookies?May 03, 2025 am 12:10 AM

Setting the httponly flag is crucial for session cookies because it can effectively prevent XSS attacks and protect user session information. Specifically, 1) the httponly flag prevents JavaScript from accessing cookies, 2) the flag can be set through setcookies and make_response in PHP and Flask, 3) Although it cannot be prevented from all attacks, it should be part of the overall security policy.

What problem do PHP sessions solve in web development?May 03, 2025 am 12:02 AM

PHPsessionssolvetheproblemofmaintainingstateacrossmultipleHTTPrequestsbystoringdataontheserverandassociatingitwithauniquesessionID.1)Theystoredataserver-side,typicallyinfilesordatabases,anduseasessionIDstoredinacookietoretrievedata.2)Sessionsenhances

What data can be stored in a PHP session?May 02, 2025 am 12:17 AM

PHPsessionscanstorestrings,numbers,arrays,andobjects.1.Strings:textdatalikeusernames.2.Numbers:integersorfloatsforcounters.3.Arrays:listslikeshoppingcarts.4.Objects:complexstructuresthatareserialized.

How do you start a PHP session?May 02, 2025 am 12:16 AM

TostartaPHPsession,usesession_start()atthescript'sbeginning.1)Placeitbeforeanyoutputtosetthesessioncookie.2)Usesessionsforuserdatalikeloginstatusorshoppingcarts.3)RegeneratesessionIDstopreventfixationattacks.4)Considerusingadatabaseforsessionstoragei

What is session regeneration, and how does it improve security?May 02, 2025 am 12:15 AM

Session regeneration refers to generating a new session ID and invalidating the old ID when the user performs sensitive operations in case of session fixed attacks. The implementation steps include: 1. Detect sensitive operations, 2. Generate new session ID, 3. Destroy old session ID, 4. Update user-side session information.

See all articles