What settings should be enabled / disabled in php.ini to maxmise security and enable all aMember functionality? For Enhancing Security with php.ini I'm guessing the following: register_globals = off safe_mode = On safe_mode_gid = Off safe_mode_exec_dir = /what/directory/should/be/specified/alex allow_url_fopen = OFF disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open expose_php = Off display_errors = Off log_errors = On error_log = /path/to/private/directory open_basedir = /what/directories/need/access/alex Alex, would any of these mess-up aMember functionality / performance? What directories should be specified for safe_mode_exec_dir & open_basedir? What other server / code optimisations would help maximise security and performance? For Enhancing Security with other methods, I'm guessing the following: Encode all php files with Zend/Ioncube Change admin directory name Protect admin directory with .htaccess Use SSL for all login forms; user login, admin login & entire admin area Write-protect directories & files; change directory permissions to 755, file permissions to 644 Alex, how can SSL be enabled by default for login forms and administrator area? (i.e. redirect from http://url to https:// automatically for login forms and admin area)
Providing that you have cURL compiled-in to PHP as extension don't use payment plugins that execute external binaries (PayFlow Pro) these php.ini settings will work well and really add security to your install. open_basedir should be set to your document root if you wish to use Protect Folders function. When folders are protected, it can be set to path to amember folder. * Encode all php files with Zend/Ioncube No, it does not add much security, specially on dedicated. aMember Pro source is available anyway for those who interested. * Change admin directory name Yes. * Protect admin directory with .htaccess Yes, even better is to protect all your site admin areas with client-side SSL ceritificates, but it requires lot of skills * Use SSL for all login forms; user login, admin login & entire admin area Yes. * Write-protect directories & files; change directory permissions to 755, file permissions to 644 It depends on your host setup. If you do these changes and click aMember Cp -> Rebuild Db, and it works, then why not. What is really important to secure your webserver are 2 things: - on shared hosting, it must have phpSuExec enabled, so every script is running with your own user permissions, and not from a shared "www" user. If server setup is not secured (LOT Of hosts have this hole), EVERY PHP script on the server (even belonging to another client) may READ and WRITE your files. You at least should not use credit card (cc_core) plugins on these hosts, because it may become a big problem if client's credit card will be stealed. - on dedicated hosting, run your webserver under chroot. If you are using Apache, it is easy to do with mod_security: http://www.modsecurity.org/document...tml-multipage/06-special_features.html#N108DC
Enable SSL by Default for Entire Admin Area & Login Forms Thanks for the reply Alex! Some useful tips I didn't know about there! You said, But didn't really answer this: In Joomla! this is relatively simple, you insert the following code into administrator/index.php, which redirects to / enables SSL for admin area: PHP: // PART 1 - See if user is connecting via SSL if ($_SERVER["SERVER_PORT"] == "443" && $_SERVER['SERVER_NAME'] != "localhost") { // reset site config var to SSL equiv $mosConfig_live_site = str_replace("http://", "https://", $mosConfig_live_site); } //PART 2 - Redirect to https if accessed over http (except when running locally) if ($_SERVER['SERVER_NAME'] != "localhost") { $port = $_SERVER["SERVER_PORT"]; //echo $port;die; $ssl_port = "443"; //Change 443 to whatever port you use for https (443 is the default and will work in most cases) if ($port != $ssl_port) { $host = $_SERVER["HTTP_HOST"]; $uri = $_SERVER["REQUEST_URI"]; header("Location: https://$host$uri"); } } How can I enable SSL by default for the entire admin area & login forms with aMember? (like I first asked and you suggested) [I have an SSL certificate & HTTPS hosting set up.] You also commented that, If this is the case, please could you send me the original PHP source files without Zend/Ioncube encoding? You have my email address on file. Thanks once again!
That code from Joomla will work well, insert it to amember/login.php and amember/admin/login.inc.php Only 2 files are encoded in Pro version, you may read source code of all other files.
admin root access Hi, I'm on shared hosting. As the technitians have root access, how would I protect my data from them? I guess they'll have access to php files, but is there a way to protect databases from them? Anything else that needs to be taken into consideration? Thanks