Shulou(Shulou.com)06/02 Report--

Editor to share with you how to optimize the security problems of Weaving Dream DedeCms. I hope you will gain a lot after reading this article. Let's discuss it together.

How to optimize the security of dream weaving DedeCms?

Many novice users will inevitably encounter horse poisoning in the process of using dream weaving CMS programs, so we should prevent backup from the security of the website and server in advance.

Recommended study: dream weaving cms

Dream weaving, as the largest open source free CMS program in China, is undoubtedly the object of many HACK studies. In its own insecure Internet environment, it is easier to get caught. DEDE officials no longer upgrade this system a long time ago. Security is not only the program itself, but also requires us to make daily backups and server security precautions.

OK, let's cut the crap and sort out some of the more commonly used treatment schemes:

Step 1: after installing Dream Weaving CMS, be sure to delete the install folder.

Step 2: login at the background must enable the CAPTCHA function (or write your own security mechanism), delete the default administrator admin and change it to your own private, complicated account. The administrator password must be long, at least 8 digits, and mixed with letters and numbers.

Step 3: change the default directory name of dedecms background management dede, casually change something that is hard to guess and irregular (change it irregularly).

Step 4: turn off (or delete / delete) all unwanted functions, such as members, comments, etc., if it is not necessary to turn them off in the background.

Membership function is turned off: background-system-system basic parameters-member settings-whether to enable the member function (yes)

Member verification code enabled: backend-system-system basic parameters-interactive settings-whether member contributions use verification code (yes)

Member verification code enabled: backend-system-system basic parameters-interactive settings-whether to prohibit all comments (Yes)

Step 5: (1) some of the following directories / features can be deleted (if you can't use them):

Member membership function [member directory, not required for general enterprise stations]

Special thematic function [thematic function]

Tags.php tag

A folder

(2) manage the directory: the following files can be deleted:

These files under the management directory are stage managers, which are redundant functions and have the greatest impact on security. Many HACK use it to hang up their horses.

Dede/file_manage_control.php [email delivery]

Dede/file_manage_main.php [email delivery]

Dede/file_manage_view.php [email delivery]

Dede/media_add.php [video control file]

Dede/media_edit.php [video control file]

Dede/media_main.php [video control file]

Dede/spec_add.php, spec_edit.php [thematic Management]

Series of files and tpl.php at the beginning of dede/file_xx .php [file manager, there are great security risks]

(3) plus the following files can be deleted:

Delete: plus/guestbook folder [message board, later we will install a more suitable message book plug-in]

Delete: plus/task folder and task.php [scheduled Task Control File]

Delete: plus/ad_js.php [advertisement]

Delete: plus/bookfeedback.php and bookfeedback_js.php [Book Review and Review call File, injection vulnerability, insecure]

Delete: plus/bshare.php [share to plugin]

Delete: plus/car.php, posttocar.php and carbuyaction.php [Shopping cart]

Delete: plus/comments_frame.php [call comment, there is a security vulnerability]

Delete: plus/digg_ajax.php and digg_frame.php [top step]

Delete: plus/download.php and disdls.php [download and count]

Delete: plus/erraddsave.php [error correction]

Delete: plus/feedback.php, feedback_ajax.php, feedback_js.php [comments]

Delete: plus/guestbook.php [message]

Delete: plus/stow.php [favorites]

Delete: plus/vote.php [vote]

Also: delete the dede/sys_sql_query.php file without the SQL command runner.

Step 6: pay more attention to the security patch officially released by dedecms and put on the patch in time.

Step 7: download and release function (manage directory soft__xxx_xxx.php). If you don't need it, you can delete it. It's easier to upload ponies.

Step 8: third-party protection plug-ins can be downloaded, such as "Weaving Dream CMS Security package" and "DedeCMS stubborn Trojan Horse back door Kill" produced by Baidu's Security Alliance.

Step 9: (optional) the safest way: publish html locally and upload it to space. It does not contain any dynamic content files, which is the safest in theory, but it is relatively troublesome to maintain.

Add: or often have to check their own website, be hung black chain is a small matter, be hung Trojan horse or delete program is very miserable, bad luck, ranking will follow. So remember to back up the data frequently!

Extended Reading: illustration of data backup steps on Dream Weaving website

So far, the malicious script files we have found are

Plus/90sec.phpplus/ac.php plus/config_s.php plus/config_bak.php plus/diy.php plus/ii.php plus/lndex.php data/cache/t.php data/cache/x.php data/config.php data/cache/config_user.php data/config_func.php

Most of the uploaded scripts are concentrated in the plus, data and data/cache directories. Please check carefully whether there are any recently uploaded files in the three directories. As for servers, if they are WIN series servers, you can install security dogs and other related protection tools.

After reading this article, I believe you have a certain understanding of the methods of optimizing the security issues of Weaving Dream DedeCms. If you want to know more about it, welcome to follow the industry information channel. Thank you for your reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.