How to modify DEDECMS to prevent website malware

How to modify DEDECMS to prevent the website from hanging?

Simple modification of DEDECMS to prevent website malware

Website security is the cooperation of server configuration, file permission control and website program. If you want to DedeCms website program modifications to improve security. "Executable files are not allowed to be modified, and writable files are not allowed to be accessed." This is the fundamental principle of website permission control. Website programs can do a lot of work in "writable files are not allowed to be accessed". We can protect it in the following ways:

Recommended learning: dedecms tutorial

1. Rename the data directory under the root directory, or move it outside the website directory

The data directory is the most sheltered place. The system often writes data to this directory. Any file in this directory can be accessed through URL, so it should be made inaccessible to the browser. The files inside need to be renamed or moved outside the directory of the website. Even if someone writes a Trojan into a file through a vulnerability, they cannot find the file path where the Trojan is located and cannot continue the attack. Because the DedeCMS program is unreasonable, the action of renaming the data directory will be relatively large. The specific methods are as follows:

a. Migrate the public content to the pub directory (or other custom directories), such as rss, sitemap, js, enum, etc. This step requires moving the folders and modifying the generation paths of these files

b. Modify the referenced program directory

c. Modify the name of the data folder and modify include/common The value of "DEDEDATA" in the .inc.php file can be modified by modifying the template cache directory in the background system settings > parameter settings. You can also follow this step to change the data folder name in the future.

2. Rename the "dede" management directory and reinforce it

If you hide the backend, even if someone else obtains your administrator account and password, they will not be able to log in.

a. In /dede/config.php, find the following line:

//检验用户登录状态 
$cuserLogin = new userLogin(); 
if($cuserLogin->getUserID()==-1) 
{ 
header("location:login.php?gotopage=".urlencode($dedeNowurl)); 
}

Change the above code to:

//检验用户登录状态 
$cuserLogin = new userLogin(); 
if($cuserLogin->getUserID()==-1) 
{ 
//header("location:login.php?gotopage=".urlencode($dedeNowurl)); 
header("HTTP/1.0 404 Not Found"); 
exit(); 
}

b. Modify /dede/login. php file name, and correspondingly modify the form submission address in /dede/templets/login.htm;

c. Modify the directory name of /dede/;

In this way, others will not Before logging in, you can only access the renamed address of /dede/login.php. Accessing other addresses will result in a 404 error.

Of course, after security hardening is done, there will be some trouble in upgrading DedeCMS in the future.

The above is the detailed content of How to modify DEDECMS to prevent website malware. For more information, please follow other related articles on the PHP Chinese website!