close ad
Help us test the new Databridge BETA with MySQLi support
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Security questions before going live.

Thread began 2/07/2012 2:54 pm by bill3786 | Last modified 2/17/2012 2:39 pm by Jason Byrnes | 2271 views | 24 replies |

bill3786

Security questions before going live.

The client has purchased a new business hosting with 1&1 and we are getting ready to upload to the site using the 1&1 supplied subdomain for testing on a live server before going live with the clients domain name. Any problems with this approach?

So now looking at security issues, which raised a few questions.

1. Any advice on using .htaccess and robots.txt files

2. Which is the most secure way of limiting access to the backend. For convenience, the backend has been accessed by a menu selection while on the local testing server. Is it ok to leave the backend menu selection visible and securely password project it or to delete it from the menu and have some other means of accessing the backend. If so, what is best?

3. Is it worthwhile limiting the backend access to the clients static ip address?

4. Which is the most secure way to control access to the site database through phpmyadmin?

Sign in to reply to this post

Jason ByrnesWebAssist

  1. Any advice on using .htaccess and robots.txt files  



regarding the .htacess file, that is a very broad question, the .htaccess file is used to configure various aspects of your apache server configuration,
see this page for details on the htaccess file:

see this site for details on the rebots.txt file
www.robotstxt.org/

  2. Which is the most secure way of limiting access to the backend. For convenience, the backend has been accessed by a menu selection while on the local testing server. Is it ok to leave the backend menu selection visible and securely password project it or to delete it from the menu and have some other means of accessing the backend. If so, what is best?  



the most secure of limiting access to the backend is to not have any links pointing to the backend in your site, instead, have your client bookmark the address of the login page and contain any links in password protected areas of the site.

  3. Is it worthwhile limiting the backend access to the clients static ip address?  



thats up to you, but if you do this, the client will only be able to access the admin using the one computer.

  4. Which is the most secure way to control access to the site database through phpmyadmin?  



the host will handle securing the site database, this is not something you have to worry about, not can it be done through PHPMyAdmin

Sign in to reply to this post

bill3786

Thanks Jason, will look into it all now. Is there a link missing for details on the htaccess file?

Also do you have any comments on using the 1&1 supplied subdomain for live testing. 1&1 don't have a testing server facility but suggested uploading the site under the subdomain during testing before transfering the domain name to 1&1.

The clients existing old site is not hosted with 1&1 and their domain name is registered elswhere.

Can you see any problems with this?

Sign in to reply to this post

Jason ByrnesWebAssist

the htaccess info link i meant to post was:
htaccess.html


no, I don't see any problems using a sub domain.

Sign in to reply to this post

bill3786

Do you have any a prefered or recommended method of password protecting the admin folder? A choice between htaccess and a security assist generated login system?

If SA login system is preferred which pages are required, obviously login & logout but any others?

I presume that only a username and password field are required or possibly two username fields for say first name and last name with a password field.

Not attempted this yet but dont want to overwrite existing user login, registration etc pages for the front end. How do you separate the two sytems ie front end from back end?

Sign in to reply to this post

Jason ByrnesWebAssist

htaccess can be used to password protect a directory, I wouldn't use this for admin section though. I would use security assist


you would need to apply security assist access restriction to all pages in the admin foolder.


you would need to use user Level Authentication to only allow access to users with the Administrator user level.

see the User Level Authentication tutorial on the security assist support page in the archived documentation section.

Sign in to reply to this post

bill3786

Ok, I'll work through the tutorial.

Does the administrator register and log in using the users (customers) system or is it necessary to create a separate simple login system to apply to the admin folder.

Sign in to reply to this post

Jason ByrnesWebAssist

same login, it will just be given a different user level at login time

Sign in to reply to this post

bill3786

In the users table there are three columns not in use at present, they are

user email verified
user verification code
user IP

Before I add the new userlevel column can you clarify what these three columns are destined for. Just wondering if I can use one of them but not at the expense of needing them for their intended purpose at some stage

Sign in to reply to this post

Jason ByrnesWebAssist

userEmail verified is used when you have a double opt in set up.

it is used to mark whether the suer is verified (1) or not (0)

user verification code is sued to store the verification code used for double opt in.

user IP is used to store the IP of the user when they register.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...