Hello there!
I always prefer to handle my websites on my own without granting access to anyone. However, sometimes I have to work with layout designers or designers who work independently to make necessary changes.
Occasionally, I need to grant access to the templates folder by creating a distinct FTP account where I can monitor the user's actions. Although access appears to be limited to only one folder, it is still possible for someone to upload a script and cause damage.
What measures can I take to protect myself? Is there a way to add rules to .htaccess or other methods available? For example, to prevent the execution of scripts. On the contrary, it is possible to add whatever logic to the template and run it through the website, which raises concerns.
Thank you!
I had a similar problem where the SEOs had access to the company's site and their work always left me flabbergasted by its consequences. Although no harm was done, it was clear that the qualifications of these individuals were inadequate for our complex website.
Unfortunately, there is no way to completely protect yourself from unprofessionalism. However, regularly creating backups can enable you to revert to any previously saved restore point at any time. Additionally, using git can be beneficial as it enables you to track all changes made to files easily through console commands such as git log, git status, and git diff (excluding the database).
It is always better to invest in a reliable and established contractor rather than trying to save money. Additionally, it is essential to create a written contract that specifies all the details regarding what needs to be done and what isn't needed. Regular backups are also critical.
For added security, consider placing your site in a separate folder or subdomain and restricting access via password and/or indexing. Only provide the performer access to a specific folder or subdomain, where they can carry out their work. Afterward, check everything thoroughly, create a backup of the current site, and overwrite it.
Moreover, it is crucial to establish clear communication with the contractor throughout the project and regularly check progress to avoid any potential issues.
To safeguard the master components of a website, they should be isolated on a separate page and secured with appropriate protections. In place of the master components, provide reference copies to the layout designer that have been thoroughly checked against a checklist and are safe for them to modify.
Alternatively, the layout designer can use a free "Duplicate to drafts" button to create copies of the files in their drafts that remove any additional questions about adding an "editor." Similarly, a designer can work on their local files calmly and transfer changes to the public file once they're ready.
It's critical to ensure that only authorized individuals have access to the master components to avoid any potential mishaps. Additionally, regularly reviewing the work of those who have access can help identify and address any potential issues before they become problematic.
To give access to a site to a coder or designer, create a user account with suitable permissions in your site's content management system (CMS) or hosting platform. Provide them with login references and specify the level of access they need, such as admin, editor, or contributor. For added security, consider using two-factor verification and regularly updating access permissions as needed.
As you've astutely observed, this doesn't entirely mitigate the risk of malicious activity. A determined individual could still attempt to upload a script and cause havoc.
To fortify your defenses, you can indeed leverage the power of.htaccess files to add rules that prevent the execution of scripts within the templates folder. One approach is to add a directive that disables PHP execution for specific file types or directories. For example, you could add the following lines to your.htaccess file:
# Disable PHP execution for files within the templates folder
<FilesMatch "\.(php|pl|py|rb|cgi|sh)$">
SetHandler None
Options -ExecCGI
</FilesMatch>
This will prevent PHP files (and other scripting languages) from being executed within the templates folder. However, please note that this is not foolproof, and a determined attacker might still find ways to circumvent this restriction.
Another strategy is to implement a more granular access control system, such as using Unix permissions or ACLs (Access Control Lists). By setting the permissions on the templates folder to read-only for the FTP user, you can prevent them from uploading or modifying files. However, this might require more advanced knowledge of Unix permissions and ACLs.
It's also essential to maintain a robust monitoring and logging system to detect any suspicious activity. Regularly reviewing your server logs can help you identify potential security breaches or unauthorized access attempts.
While there's no silver bullet to completely eliminate the risks associated with granting access to third-party designers, a combination of these measures can significantly reduce the likelihood of security breaches. As a webmaster, it's crucial to remain vigilant and proactive in maintaining the security and integrity of your website.
I'd like to add that it's also essential to consider the concept of "defense in depth." This means implementing multiple layers of security controls to protect your website, rather than relying on a single solution. By combining.htaccess rules, Unix permissions, and monitoring, you can create a robust security posture that minimizes the risk of security breaches.
Why even risk it with half-baked folder restrictions? Sure, chroot jail and .htaccess tricks like php_flag engine off can block script execution, but a savvy hacker can still exploit template logic or sneak in backdoors if your app ain't locked down. File perms (644/755) are cute, but they're not bulletproof against a determined script kiddie.
You're playing with fire if you don't audit every upload or disable dynamic includes in your CMS. Backup? Pfft, that's just damage control, not prevention. Step up your game - use a staging env or Git repo for collabs instead of raw FTP.