We know that once there is a big security threat to the website, it may cause great losses to webmasters, such as important data being deleted, users and other related data being stolen, website servers being DDOS (distributed attacks, servers launching evil attacks on other hosts on the network in a short time) The website can not run normally, resulting in business suspension and economic losses.
After the website is completed, there will always be many problems, big or small, which cannot be put aside once and for all. Among them, it is particularly necessary to pay attention to the possible security problems. We often see websites of various sizes at home and abroad being invaded, their home pages being tampered with, or their websites being attacked, resulting in several hours of abnormal access.
Therefore, for the majority of webmasters, security is a big problem that cannot be ignored. Mastering the necessary security knowledge of website construction and website maintenance can not completely avoid the occurrence of security accidents, but at least minimize the risk of website security.
Now there are many webmasters who want to save money and convenience. They use some open source website building systems without any security guarantee to build their own websites. Today, with the popularity of cloud services and virtual host services, and the convenience of domain name registration, more and more open source website building systems appear. Although this has brought some convenience to the webmaster in building the website, the security risks it has are indeed unavoidable.
Open source website building system has hidden dangers, which should be carefully selected
Now there are many open source website building systems on the market, including SNS (social network system), online store system, enterprise website building system, etc. Although these open source projects are free for users to use, the open source system is not absolutely safe, especially many vulnerabilities have been exposed. Novice hackers can use a very simple method to complete the invasion.
The account information related to the website should be strict
In addition, in the process of website maintenance, the account information of the website must not be taken lightly. At present, many websites, whether users of member centers log in or administrators log in, often do not do a good job of account security. For example, many websites do not check the number of account numbers and passwords when they register as members. The verification code, a basic measure to prevent duplicate registration, has not been done. Such accounts can be easily cracked, and users can be registered in large quantities by writing a registration program. The website has no security at all.
In addition, as an important background login portal of the website, it is recommended not to expose the link to the Internet, and not to place the link to manage the background on the relevant page of the website. At the same time, it is necessary to place the login link from the crawler of the search engine to the background management (it can be set using the robots file). Another important thing that many websites fail to do is to transmit user names and passwords in clear text at the login portal of the website. This simple http transmission is easy to intercept, so conditional websites can use https encryption at the login portal of the account.
Be careful when uploading website files
During the maintenance of the website after completion, some webmaster friends will connect to the file directory of the website server through ftp or ssh and upload the modified source code files. Here, the uploading of relevant files on the website is also easy to cause problems. Some programmers often add new files when modifying code, and the most likely problem is the js file. Because once the js file is embedded in the web page, it will be allowed directly. If these js are not carefully checked, they may contain some dangerous code. For example, when the web page allows js, the information on the server will be deleted or the data will be transferred to the remote host, which will bring huge losses to the website. Therefore, when uploading files related to the website, it is necessary to check the security of the file, and check such files as js, executable exe, and executable script. sh to prevent malicious files from being uploaded to the server directory of the website.
Pay attention to website server security
The website server security can be said to be the responsibility of the website operation and maintenance personnel, but many websites have no one to do server security maintenance, but some related server security settings must be done well. Including the server's firewall needs to be opened normally, the server's login account and password strength must be done well, and the server's fault alarm reminder. The server's fault alarm refers to that when the server fails, the webmaster needs to be able to receive the alarm reminder in a short time, so that the website can be recovered as soon as possible in a short time when the website fails.
Set relevant access record functions
The access log of the website can be viewed in the background of the server and website. The server log can be viewed in the relevant log files of the WEB server, such as Apache, tomcat, etc; It is recommended to set up the relevant access recording function in the background of the website, so that when the website has security problems, the causes can be found more quickly. For example, you can record the IP source, number of visits, stay time, and pages visited by users in the background of the website.
Use the open source website building system with caution. After the website is completed, it is also necessary to strengthen the security precautions, and do a good job in the security maintenance and prevention of the website in daily work. For each user, it is necessary to keep in mind at all times.
Information source of this website: Shangpin China professional website construction
.jpg)
