There are several basic steps outlined elsewhere in these FAQs, such as correct use of file/folder permissions, htaccess, index redirects, rejection of uploading unsafe mime-types and regular backups. It is also good policy to use your groups system to filter users, allowing extended priviledges only to trusted members. There are also extra measures you can take to protect your site. Here is an extract froma module called "Protector" Please also see the forum thread
Protector module usage. Quote:
Xoops Protector is a module to defend XOOPS2 from various and malicious attacks. This module can protect four kind of attacks like: - DoS - SQL Injection - XSS - System global variable pollution Xoops Protector defends you XOOPS from these attacks, and it records into its log. Of course, all vulnerablities can't be prevented. Be not overconfident, please. However, I recommend installing this module to all XOOPS users. = RELATION to AntiDoS-P = The antecedent of Xoops Protector was AntiDoS-P. Since all functions of AntiDoS-P has been succeeded in Xoops Protector, you'd better to uninstall AntiDoS-P. = USAGE = Please install it as well as a usual module. Turn "Protector block" on and put the block top of left side by blocks admin. Turn the block's permission on to all groups by groups admin. You can do that easily by using Blocks&Groups Admin of Protector. I strongly recommend calling this module from mainfile.php also. After Xoops Protector is installed, edit your mainfile.php like this: define('XOOPS_GROUP_ADMIN', '1');
define('XOOPS_GROUP_USERS', '2');
define('XOOPS_GROUP_ANONYMOUS', '3');
include( XOOPS_ROOT_PATH . '/modules/protector/include/precheck.inc.php' ) ;
if (!isset($xoopsOption['nocommon'])) {
include XOOPS_ROOT_PATH."/include/common.php";
}
Insert a line just before the line of if (!isset($xoopsOption['nocommon'])) { Both pre-check and block-check are needed. If you needs the feature of "IP Ban", turn on "System admn" -> "Preferences" -> "General" -> "Enable IP Bans" When you turn this on, you have to check if your IP is included in "Enter IP addresses that should be banned from the site".
Protector is available from PEAK XOOPS
http://www.peak.ne.jp/xoops/ There is also a good article on protecting the mainfile.php from ever displaying sensitive information in the event of a php failure The article can be found on Xoops-Tips
Protecting mainfile.php Besides the tips given here there are more things to do. I like to prevent attempts to even try pulling the file in a browser.
<Files ~ "mainfile.php">
Order allow,deny
Deny from all
Files>
This will log a Forbidden error in your server logs. Another way is to encrypt the file itself. Most of the PHP addon accelerators/compilers have an encryption feature. Typically these are used for commercial applications so that the customer can't see the code. Also handy for sensitive files like this. The file becomes unreadable except to the webserver and only if the server is using the same engine. Zend products and MMCache are two that I've tried. Since you rarely need to edit the file this is a useful trick. You store the raw file somewhere safe so you can edit and reencrypt it later. I don't see this as much different than an SSL key file that also must be protected. If your server gets rooted you have other problems. See also
this forum post here for more details on protector module.
Monitoring Recently there has been another xoops module developed and released called
Netquery This module offer a number of security checks and traces on visitors to your site
See also more security related FAQs here: Can users upload viruses to my site? How can I ban a user? Why should there be an index.html file in all directories? What are spiders and bots and how do I control what they do? How secure will my Xoops website be? How do I CHMOD to 0444? What is CHMOD? What are the correct file permissions?
allow_url_fopen
One of the Protector module's security checks is whether the PHP configuration option allow_url_fopen is on.
Note that allow_url_fopen can only be changed in the main Apache configuration file (httpd.conf) or the PHP configuration file (php.ini), and not in an Apache per-directory configuration file (.htaccess) or via the PHP ini_set() function.
This was a change effected in PHP 4.3.5, and older PHP Manuals may incorrectly show allow_url_fopen's changeability as PHP_INI_ALL, while it is actually PHP_INI_SYSTEM.
The files httpd.conf and php.ini are normally changeable only by a server administrator, so someone with a web hosting account would not be able to modify those files.
Here's an example of disabling allow_url_fopen in httpd.conf:
php_admin_flag allow_url_fopen off
References:
http://bugs.php.net/bug.php?id=28497
http://www.php.net/ChangeLog-4.php
http://us3.php.net/manual/en/function.ini-set.php
http://www.php.net/manual/en/configuration.changes.php