- If possible, delete all the administrative applications, such as Joomla's admin, WordPress' admin, phpMyAdmin, or Tomcat Manager. If that is not possible, make them accessible from the local network only; for example, to deny access from outside networks to phpMyAdmin in an Apache server, modify the httpd.conf
file (or the corresponding site configuration file):
<Directory /var/www/phpmyadmin> Order Deny,Allow Deny from all Allow from 127.0.0.1 ::1 Allow from localhost Allow from 192.168 Satisfy Any </Directory>
This will first deny access from all addresses to the phpmyadmin directory, and second, it will allow any request from the localhost and addresses beginning with 192.168, which are local network addresses.
- Change all administrators' passwords for all CMSs, applications, databases, servers, and frameworks with others that are strong enough. Some examples of
such applications are as follows:- Cpanel
- Joomla
- WordPress
- PhpMyAdmin
- Tomcat manager
- Disable all unnecessary or unused server and application features. On a daily or weekly basis, new vulnerabilities are appearing on CMSs' optional modules and plugins. If your application doesn't require them, there is no need to have them active.
- Always have the latest security patches and updates. In production environments, it may be necessary to set up test environments to prevent leaving the site inoperative because of updating an incompatible version.
- Set up custom error pages that don't reveal tracing information, software versions, programming component names, or any other debugging information. If developers need to keep a record of errors, or if an identifier is necessary for technical support, create an index with a simple ID and the error's description and show only the ID to the user. So when the error is reported to a support personnel, they will check the index and will know what type of error it was.
- Adopt the principle of least privilege. Every user at every level (operating system, database, or application), should only be able to access the information that is strictly required for a correct operation, never more.
- Taking into account the previous points, build a security configuration baseline and apply it to every new implementation, update, or release, and to current systems.
- Enforce periodic security testing or auditing to help detect misconfigurations or missing patches.