Page 1 of 1
Securing CMS Made Simple Against Recent Vulnerabilities
Posted: Sun Jan 19, 2025 11:29 am
by Jaredfeather
Hi Everyone
With recent increases in cybersecurity threats, I'm looking to bolster the security of our CMS Made Simple site. Does anyone have recommendations for security best practices or essential plugins that help protect against vulnerabilities? How do you manage user permissions effectively?
Thanks for any help!
Re: Securing CMS Made Simple Against Recent Vulnerabilities
Posted: Sun Jan 19, 2025 4:15 pm
by creopard
A good starting point is securing the webserver first:
https://github.com/h5bp/server-configs- ... /.htaccess
Re: Securing CMS Made Simple Against Recent Vulnerabilities
Posted: Tue Jan 21, 2025 10:24 am
by pierrepercee
Hello,
Creopard is right. Low level server protection does very good job.
You can additionaly change the name of the administration directory and protect it with authentication with .htacces easily.
I found this code that allows a bit of filtering on URLs and that works well. You have to integrate it into your htaccess at the root.
Code: Select all
# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]
RewriteCond %{QUERY_STRING} https\: [OR]
#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]
#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]
#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
#IF the URI contains UNION
RewriteCond %{QUERY_STRING} UNION [OR]
#OR if the URI contains a *
RewriteCond %{QUERY_STRING} \*
#then deny the request (403)
RewriteRule ^.*$ - [F,L]
# End URL Filtering
I'm not an expert but lowering the permissions (chmod) of folders/files on the entire installation to the bare minimum would probably be a good idea too.
If anyone very knowledgeable about access rights for a CMSMS installation comes by...
Re: Securing CMS Made Simple Against Recent Vulnerabilities
Posted: Tue Jan 21, 2025 10:37 am
by creopard
found some more CMSMS-specific .htaccess declarations (see your directory "/doc/htaccess.txt" for more examples):
Code: Select all
# exclude some CMSMS modules
# RedirectMatch 403 ^.*/modules/.*\.php$
RedirectMatch 403 ^.*/modules/(?!TinyMCE/responsive_filemanager/filemanager/).*\.php$
RedirectMatch 403 ^.*/uploads/.*\.php$
Re: Securing CMS Made Simple Against Recent Vulnerabilities
Posted: Thu Jan 23, 2025 8:08 am
by Jaredfeather
Hello,
Creopard is right. Low level server protection does very good job.
You can additionaly change the name of the administration directory and protect it with authentication with .htacces easily
concretesrichmondva.com
I found this code that allows a bit of filtering on URLs and that works well. You have to integrate it into your htaccess at the root.
Code: Select all
# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]
RewriteCond %{QUERY_STRING} https\: [OR]
found some more CMSMS-specific .htaccess declarations (see your directory "/doc/htaccess.txt" for more examples):
Code: Select all
# exclude some CMSMS modules
# RedirectMatch 403 ^.*/modules/.*\.php$
RedirectMatch 403 ^.*/modules/(?!TinyMCE/responsive_filemanager/filemanager/).*\.php$
RedirectMatch 403 ^.*/uploads/.*\.php$
Thanks for the detailed suggestions! Securing the server and customizing the .htaccess file makes a lot of sense. I’ll start by implementing the URL filtering and reviewing the CMSMS-specific .htaccess declarations you shared. Also, lowering permissions for critical files and directories seems like a practical step. I appreciate the guidance and will look into these solutions further. Thanks again for the help!