How to optimize the security issues of DedeCms

How to optimize the security issues of DedeCms?

Many novice users will inevitably encounter the phenomenon of horse poisoning when using the DreamWeaver CMS program, so we must do preventive backups for the security of the website and server in advance.

Recommended study: 梦Weavercms

As the largest open source free CMS program in China, Dreamweaver is undoubtedly the subject of many HACK studies. In the inherently unsafe Internet, In this environment, it is easier to be tricked. DEDE officials have stopped upgrading the system a long time ago. Security is not only the program itself, but also requires us to do daily backups and server security precautions;

Okay, without further ado, here are some commonly used solutions:

Step one: After installing Dreamweaver CMS, remember to delete the install folder.

Second step: When logging in to the background, you must enable the verification code function (or write a security mechanism by yourself), delete the default administrator admin, and change it to a dedicated, more complex account of your own. The administrator password must be certain. It should be long, at least 8 characters, and have a mix of letters and numbers.

The third step: Change the default directory name dede for dedecms background management, and change it to something that is difficult to guess and irregular (change it from time to time).

Step 4: Turn off (or eliminate/delete) all unused functions, such as members, comments, etc. If there is no need, turn them all off in the background.

Member function is turned off: Backstage--System--Basic System Parameters--Member Settings--Whether to enable the membership function (Yes)

Member verification code is turned on: Backstage--System--System Basic parameters--interaction settings--whether to use verification code for member submissions (yes)

Member verification code is turned on: backend--system--basic system parameters--interaction settings--whether to prohibit all comments (yes)

Step 5: (1) The following are directories/functions that can be deleted (if you don’t use them):

Member membership function [Member directory, not required for general enterprise sites]

special Special topic function [Special topic function]

tags.php Tag

a Folder

(2) Management directory The following are files that can be deleted:

These files in the management directory are background file managers, which are redundant functions and most affect security. Many HACKs are mounted through them

dede/file_manage_control.php [Mail Send】

dede/file_manage_main.php 【Send by email】

dede/file_manage_view.php 【Send by email】

dede/media_add.php 【Video control file】

dede/media_edit.php [Video control file]

dede/media_main.php [Video control file]

dede/spec_add.php, spec_edit.php [Topic management]

dede/file_xx.php series of files and tpl.php [File manager, great security risks]

(3)plus the following files can be deleted:

Delete: plus/guestbook folder [Message board, we will install a more suitable guestbook plug-in later];

Delete: plus/task folder and task.php [Scheduled task control file]

Delete: plus/ad_js.php [Advertisement]

Delete: plus/bookfeedback.php and bookfeedback_js.php [Book review and review calling files, there are injection vulnerabilities, unsafe]

Delete: plus/bshare.php [Share to plug-in]

Delete: plus/car.php, posttocar.php and carbuyaction.php [Shopping cart]

Delete: plus/comments_frame.php [Calling comments, there is a security vulnerability]

Delete: plus/digg_ajax.php and digg_frame.php [Downvote]

Delete: plus/download.php and disdls.php [Downloads and times Statistics】

Delete: plus/erraddsave.php【Error correction】

Delete: plus/feedback.php, feedback_ajax.php, feedback_js.php【Comments】

Delete : plus/guestbook.php [Message]

Delete: plus/stow.php [Content Collection]

Delete: plus/vote.php [Vote]

More : Delete the dede/sys_sql_query.php file if you do not need the SQL command runner.

Step 6: Pay more attention to the security patches officially released by dedecms and apply them in time.

Step 7: Download the publishing function (soft__xxx_xxx.php in the management directory), you can delete it if you don’t use it. This is also easier to upload Xiaoma.

Step 8: You can download the first Third-party protection plug-ins, such as: "Dreamweaver CMS Security Pack" produced by 360, "DedeCMS Stubborn Trojan Backdoor Killer" produced by Baidu's Security Alliance;

Step 9: (Optional) The safest way : Publish html locally and then upload it to the space. It does not contain any dynamic content files and is the safest in theory, but maintenance is relatively troublesome.

Supplement: You still have to check your website frequently. Being linked to a black link is a trivial matter, but being linked to a Trojan horse or deleting a program is very miserable. If you are unlucky, your ranking will also drop. So remember to always back up your data! ! !

Extended reading: Illustration of data backup steps on the DreamWeaver website

So far, the malicious script files we have discovered are

plus/90sec.php
plus/ac.php 
plus/config_s.php 
plus/config_bak.php 
plus/diy.php 
plus/ii.php 
plus/lndex.php 
data/cache/t.php 
data/cache/x.php 
data/config.php 
data/cache/config_user.php 
data/config_func.php

Most of the uploaded scripts are concentrated in the three directories of plus, data, and data/cache. Please carefully check whether there have been files uploaded recently in the three directories. As for the server, if it is a WIN series server, it can be installed securely. Dog and other related protective tools;

The above is the detailed content of How to optimize the security issues of DedeCms. For more information, please follow other related articles on the PHP Chinese website!