For security in the WAF and OneThird CMS
About WAF
WAF (Web Application Firewall), it is considered not to operate under normal WAF works with OneThird CMS bad is very compatible and CMS
If, if you want to co-exist with WAF, another making the URL for updates that you can access in addition to the URL for the public, there is a way not lotus the WAF only the URL over the BASIC authentication
To the URL make two, after the setting of the apache, make the following description in config.php
Example
$ {For ()}
In the example, will be the URL that URL with WAF that domain1.com uses normal user, domain2.com was multiplied by the BASIC authentication
For OneThird CMS security
In OneThird CMS, in addition to the basic security measures, and in particular strengthening the following points:
- And the document title, easy to string that contains the vulnerability for data other than in the text, <> and "(double quotes) '(be removed all at sanitization function of the standard) that you are no longer can use the (single quotation marks)
→ inconvenient There is also a point, but it is policy to ensure that control characters from entering the DB to as much as possible - All tokens must be in the POST data
POST no → token will all result in an error, also if the POST without a token was followed by a non-login state, shut out regarded as attack the access from that IP address - Mechanism to hide the placement folder accessible php program built-in is
→ will be less likely to be attacked by hiding the URL and login URL around the control panel
Hide URL and login URL around the control panel
Is a famous story from being scanned the CMS in wp-login.php, such as WordPress attack
In addition, the direct access to the following php file County admin, including vulnerability, will also be seen here and there the case to be tampering with the site
Originally it does not attack in Puraguramu that is designed to secure established, but it is not because the program is 100%
So as insurance measures, method of Let hide all the management Puraguramu is the way to be described below
In OneThird CMS, accessible php Puraguramu is index.php and, admin only the following programs
The admin folder will strongly to attack from the outside only by multiplying the BASIC authentication, but it is somewhat cumbersome
So more easily than v1.70, now it supports a way to hide the URL of all of the management program, including the login program as a function of CMS
Change is easy, you only need to change two places the file
First of all, to config.php
$config [ 'admin_dir'] = guess is hard to string;
Please set the
When it is installed on or after v1.70, from the beginning $config [ 'admin_dir'] entry has been written so please comment out
Guess is difficult to string, please to the string of offense there is no length in operation
Here, admin01ab
If you set the
Next, open the .htaccess directly under the installation folder,
RewriteEngine On
Just below the
RewriteRule ^.*/?(admin[0-9a-zA-Z]*)/(.*)$ index.php?__admin=$1&__pg=$2&%{QUERY_STRING} [L]
Please add write
This is also the case that have been installed since v1.70, please comment out the appropriate line
When you do this modification, the login URL
Installation URL / login
Install from URL / admin01ab / login
It will be changed to
For the number of digits of the login URL
Example I think the string was added to the URL is some people think that is considered to be less has become a four-digit
But the probability, which is also broken in the four digits in about one-1600000 minutes, yet does not mean you can log in with where it was found that this URL
Meaning to change the URL is to avoid the indiscriminate attacks by bot
In addition, in the .htaccess
RewriteRule ^.*/?(admin[0-9a-zA-Z]*)/(.*)$ index.php?__admin=$1&__pg=$2&%{QUERY_STRING} [L]
For it is written, and access to the installation URL / admin ??? other than the installation URL / admin01ab / login, assumes that the bot attack because it is not the original URL
More specifically, in the same IP, will be the access and wrong 100 about the access to the URL is concentrated until the next day to shut out
For this reason, it is difficult to identify by scanning the login URL
URL is OK even if not so long is why
Of course, it can be longer if there is no operational problems
Than 
above-mentioned reason, if you hide the URL, page alias, such as admin ??? the normal page please do not create
Furthermore, if you want to operate in a secure it is recommended that you use a static output
Although you will not be able to use a lot of plug-ins, we recommend a static output from the speed surface and security aspects for not particularly necessary site
In OneThird CMS, you can also freely set further can be done easily static output destination
Please try