Everyone on the Internet has also seen the DEDECMS program. Although it is convenient for grassroots webmasters to quickly build a website, security also has many problems. You need to set it up before you can use it, otherwise it will become a problem for others. Horse's website p>The following is for some novice webmaster friends who use DEDE (those with non-targeted technical skills)
dedecms template download address: m.sbmmt.com/xiazai/code/dedecms
Everyone on the Internet has also seen the DEDECMS program. Although it is convenient for grassroots webmasters to quickly build a website, it also has many security issues. DEDE officials have stopped upgrading the system a long time ago. At most, they only have some patch repairs;
Okay, without further ado, here’s the summary Some commonly used solutions:
Step one:
When installing Dede, it is best to change the table prefix of the database, not Use the default prefix dede_ of dedecms, which can be changed to emtalk_, or any irregular and hard-to-guess prefix (if the site is running online, you can ask a technician to help modify it).
Second step:
Backend login must enable the Verification code function (or write a security mechanism by yourself), and the default Administrator admindelete and change it to a dedicated, more complex account. The administrator password must be long, at least 8 characters, and mixed with letters and numbers.
Step Three:
Be sure to delete the install directory after installing the program! ! !
Step 4:
Change the default directory name dede for dedecms background management, and change it to something that is hard to guess and irregular (change it from time to time).
Step 5:
Close (or eliminate/delete) all unused functions, such as members, comments, etc. If not necessary, close them all in the background. (If some functions require it and there is technical support, you can develop or modify the default success code yourself)
Step 6:
(1) The following are possible Deleted directories/functions (if you don’t use them):
member会员功能 special专题功能 company企业模块 plusguestbook留言板
(2) The following are the files that can be deleted:
These files in the management directory are background file managers and belong to It is a redundant function and most affects security. Many HACKs are mounted through it.
file_manage_control.php file_manage_main.php file_manage_view.php media_add.php media_edit.php media_main.php
Furthermore:
If you do not need a SQL command runner, delete the dede/sys_sql_query.php file.
If you do not need the tag function, please delete tag.php in the root directory. Please delete digg.php and diggindex.php in the root directory if you don’t need to be an invoker.
Step 7:
Pay more attention to the security patches officially released by dedecms and apply them in time.
Step 8:
Download the publishing function (softxxx_xxx.php in the management directory), you can delete it if you don’t need it, this is also easierUpload小马的.
Step 9:
You can download third-party protection plug-ins, such as: "Dreamweaver CMS Security Package" produced by 360, Baidu's security "DedeCMS Stubborn Trojan Backdoor Killer" produced by the alliance;
Step 10:
(optional) The safest way: Publish html locally and then upload it to space. It does not contain any dynamic content files and is the safest in theory, but maintenance is relatively troublesome.
Supplement: You still have to check your website frequently. Being linked to a black link is a trivial matter, but being linked to a Trojan horse or deleting a program is very miserable. If you are unlucky, your ranking will also drop. . So remember to back up your data from time to time! ! !
So far, the malicious script files we have discovered are
plus/ac.php plus/config_s.php plus/config_bak.php plus/diy.php plus/ii.php plus/lndex.php data/cache/t.php data/cache/x.php data/config.php data/cache/config_user.php data/config_func.php等等
Most of the uploaded scripts are concentrated in the three directories of plus, data, and data/cache. Please check the three directories carefully. Are there any files that have been uploaded recently?
As for the server, if it is a WIN series server, you can install security dogs and other related protection tools;
What are the words of the webmaster friends of the virtual space? . . Just do a good job of site security. The server cannot be touched;
The above is the detailed content of Detailed explanation of DedeCms security problem solutions (security settings). For more information, please follow other related articles on the PHP Chinese website!