How can I 'harden' or improve e107 security?
From e107 Wiki
First of all: use your common sense! If you are not familiar with hosting a website; be prepared to invest a lot of your time. Leave it to the professionals to host a website if you have no clue but want to have a reliable website.
- Check any installation for updates (e107 core and plugins) on a regular basis and apply a.s.a.p.
- Do not give anyone admin rights unless you are sure they are trustworthy and capable
- Check your site regularly and use file inspector to search for non core files on a regular basis that could have been maliciously uploaded
- Use secure passwords for admin, MySQL and FTP and change them regularly.
- Change the default folder names (e.g. remove the e107_ prefix), and change the e107_config.php accordingly. See: Can_I_change_the_e107_directories?
- Rename the admin folder to something else completely
- Keep file permissions as low as possible - avoid 777 unless absolutely vital
- Put a blank index.html files in all folders to deny unwanted directory listings
- Use cPanels 'Error Page' function to display a message and stop constant lookups of the MySQL
- Remove all unused plugins and themes - reduces the opportunity to find holes
- Only use non core plugins from trusted sources - if you don't need them, don't upload or install them
- Don't allow the [php] bbcode to anyone
- Don't allow HTML posting unless you really have to
- Keep allowed filetypes in admin/filetypes.php to a minimum
- Don't allow Public Uploads - only allow public uploads as attachments to the forums if you really need to
- Be prepared to pay for a good pro-active, security conscious hosting service
- Make regular database backups (nightly via a cron if you can) and have a complete mirror of site files (especially any you have modified) available so you can get back online quickly in case all the above fail
- Install the enhanced eCaptcha plugin with reCaptcha instead of the core image code
- Install 'BanHelper' plugin and set to restrict new members ability to post links or images (spam) in comments and forum posts
- Install Suhosin: an advanced protection system for PHP installations
- Create a 404.html in your e107 root folder. Click on the link for an example.
- Create a .htaccess in your e107 root folder. Click on the link for an example.
