Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
Ilya T.2016-10-13 09:33:54
linux
Ilya T., 2016-10-13 09:33:54

Are there universal ways to secure php sites?

Sometimes I help my friends host some php site (most often wordpress, but there are options up to magento).
To do this, I collect a standard LAMP stack like:
Apache2 + PHP 5.x + ModPHP + Mod security with standard configs
I am very far from the CMS used themselves and would not want to go into it.
Despite all the explanatory work, these sites often break - most often through some holey shit plugin that friends install themselves.
Friends are crying, I restore everything from backups, delete the leaky plugin and after a while the story repeats with another plugin.
Question: what are the ways to secure such sites at the level of the OS and the system software used (not by means of CMS). I understand that there is no silver bullet, but perhaps there are ways to reduce the risks?
PS: Technical solutions are of interest. Administrative I can think of myself.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
S
Sanes, 2016-10-13
@Sanes

Prevent friends from installing plugins.

Report
S
Saboteur, 2016-10-13
@saboteur_kiev

Either automate the restoration of sites from a backup so that your friends have a button, and you will forget about this hemorrhoid, or take money for each restoration.

Report
A
Alexander Taratin, 2016-10-13
@Taraflex

https://sitecoder.blogspot.ru/2016/05/website-prot...

Report
V
Vitaly, 2016-10-13
@Wohlstand

Mandatory:
* Install and configure SUExec, and it is desirable to configure it so that the site folder (for example, "Public_HTML" or "www", or site1 / www, site2.www, etc.) is in the hamster of the beast (it will be more convenient to climb through SFTP)
* Each beast must have its own UNIX account and reg on the MySQL server (one or more databases for each)
* It is advisable to build php from sources and run it via CGI (SUExec only works on CGI), you can assign INI files to users individually (for example, enable/disable certain modules)
As for the CMS themselves, using OS tools, you can only assign the owner to the root and make the regular CMS files read-only. Thus, no one will be able to change the files of the CMS itself, but it’s good to use it. Only one negative: the ability to auto-update is lost, root is required to replace such files. On the MySQL side, it will not save you from a crash if one of the plugins clumsily tries to change one of the existing tables (thus ruining it), and not add a new one for itself.

Similar questions
M
medianoche2015-07-04 03:34:27
How to record tutoring? 8Reply
H
hloya_ram2019-11-17 12:04:54
How does Reading Mode work in Safari and Firefox browsers? 2Reply
M
Mark Rosenthal2015-03-26 10:18:35
How to remove graphical login from ubuntu? 5Reply
D
Dmitry2021-03-18 21:21:00
How to approach the Errno::ECONNREFUSED (Connection refused - connect(2) for "example.com" port 25) error? 2Reply
A
Anton Kurilov2017-03-29 14:45:37
Why don't wget / ping / nslookup work? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question