How to solve the security problem of DedeCms

How to solve the security problem of DedeCms?

The following is for some novice webmaster friends who use DEDE (those with non-targeted technical skills)

Everyone on the Internet has also seen the DEDECMS program, although it is convenient for grassroots websites. It is a long way to build a website quickly, but there are also many security issues. DEDE officials have stopped upgrading the system a long time ago. At most, they only have some patch repairs; Okay, without further ado, here are some commonly used solutions:

Step 1:When installing Dede, it is best to change the table prefix of the database instead of using dedecms default The prefix dede_ can be changed to emtalk_, or any irregular and hard-to-guess prefix can be used (if the site is running online, technicians can help modify it).

Second step:

Backend login must enable the verification code function (or write a security mechanism by yourself), delete the default administrator admin, and change it to a more complicated one dedicated to you. The account and administrator password must be long, at least 8 characters, and contain a mix of letters and numbers.

The third step:

Be sure to delete the install directory after installing the program! ! !

Step 4:

Change the default directory name dede for dedecms background management, and change it to something that is hard to guess and irregular (change it from time to time).

Step 5:

Close (or eliminate/delete) all unused functions, such as members, comments, etc. If not necessary, close them all in the background. (If some functions require it and there is technical support, you can develop or modify the default success code yourself)

Step 6:

(1) The following are directories/functions that can be deleted ( If you don’t need it):

member会员功能 
special专题功能 
company企业模块 
plusguestbook留言板

(2) The following are the files that can be deleted:

These files in the management directory are background file managers, which are redundant functions and have the most impact Safe, many HACKs are mounted through it

file_manage_control.php 
file_manage_main.php 
file_manage_view.php 
media_add.php 
media_edit.php 
media_main.php

Furthermore:

If you do not need the SQL command runner, delete the dede/sys_sql_query.php file.

If you do not need the tag function, please delete tag.php in the root directory. Please delete digg.php and diggindex.php in the root directory if you don’t need to be an invoker.

Step 7:

Pay more attention to the security patches officially released by dedecms and apply them in time.

Step 8:

Download the publishing function (soft__xxx_xxx.php under the management directory). You can delete it if you don’t need it. This is also easier to upload to Xiaoma.

No. Nine steps:

You can download third-party protection plug-ins, such as: "Dreamweaver CMS Security Pack" produced by 360, "DedeCMS Stubborn Trojan Backdoor Killer" produced by Baidu's Security Alliance;

Step 10:

(Optional) The safest way: publish the html locally and then upload it to the space. It does not contain any dynamic content files and is the safest in theory, but maintenance is relatively troublesome.

Supplement: You still have to check your website frequently. Being linked to a black link is a trivial matter, but being linked to a Trojan horse or deleting a program is very miserable. If you are unlucky, your ranking will also drop. So remember to always back up your data! ! !

So far, the malicious script files we have discovered are

plus/ac.php 
plus/config_s.php 
plus/config_bak.php 
plus/diy.php 
plus/ii.php 
plus/lndex.php 
data/cache/t.php 
data/cache/x.php 
data/config.php 
data/cache/config_user.php 
data/config_func.php等等

Most of the uploaded scripts are concentrated in the three directories of plus, data, and data/cache. Please check the three directories carefully. Are there any files that have been uploaded recently?

As for the server, if it is a WIN series server, you can install security dogs and other related protection tools;

What are the words of the webmaster friends of the virtual space? . . Just do a good job of site security. The server cannot be touched;

The above is the detailed content of How to solve the security problem of DedeCms. For more information, please follow other related articles on the PHP Chinese website!