Best 6 Tips in Securing DNN Website

6 tips in securing dnn site

DNN is the most powerful asp.net CMS software that's loved by millions of users and communities. The DNN local communities exist in most countries with different languages support. There're many people living by dnn development on modules and skins. It's also very good learning platform for .net programmers. Because of it's leadership in asp.net, it's crucial to understand some security tactics in using this software. We have been worked with DNN since 3.2 and supported lots of dnn clients on live hosting service. Following DNN security tips are generated from our daily experience and professional suggestions in DNN community.

Secure installation

Security is started before your initial dnn installation. As suggested by this article, DNN keeps user password via encrypted format and we can improve it using hash. But we must edit configuration file before installation. Also, unless you have a blade fast hosting server, we highly suggest install locally first then move to hosting space. From our experience, dnn installation wizard can fail easily. In case you get unsuccessful installation, the wizard can be restarted when people browse to your domain.

Admin/Host credentials

By default, DNN provides two user accounts admin/host. Actually we can change the two user id to anything else and apply enhanced password policies. DNN can be auto installed by various installers nowadays but we highly recommend to install manually so you can understand the entire process and secure the installation as much as possible.

Use Captcha

Captcha is great feature to reduce spam registration and submission on your DNN site. Captcha is a built in feature and it can be enabled via admin user login. In case you run into problems to enable this feature, this article should help fix it. There're also multiple official articles on how to customize the captcha image, just make a bit research and you'll be surprised how fantastic it is.

Set proper file permission

DNN is programmed on asp.net platform that highly rely on "networkservice" this user account to work with. We must grant "RWXD" permissions to this user to ensure everything can work fine. However, we should restrict other user accounts permission correctly or else it will bring big security issue. We highly recommend to follow this official tutorial to configure the right file permissions.

Do not use sql express

SQL express is the free edition of sql server service. We don't recommend use it for your live website. Not just for performance but also refers to daily maintenance. Since both website files and database are located on the same server, any misconfiguration might bring big security issues. For enterprise website purpose, full version sql server is a must because it's configured on dedicated sql server environment. As we know, the less service on server, the more secure it is.

Use reliable module/skin resource

Because lots of developers live by module/skin development, there're many dnn resources we can get. However, we must find a reliable provider because each developer has different programming skills. The script design decides its overall secure level directly so we must pay good attention to it. DNN now provides official store for commercial skins/modules. All of their products are verified by DNN official team for guaranteed performance and security. If you need commercial solutions, their official store should be primary consideration.

Check DNN Logs

You don't have to login hosting server for website logs. DNN has built in log system to record all server end and onsite activities. You can view how your website be accessed and which user logged in at what time. Check those logs often and find if there's anything inormal so you can apply necessary changes in time.

Use a reliable DNN hosting

Probably the most important part. Hosting server is the destination of all your datas so it's quite important to get a right provider in the beginning. No matter how much time it may take, we don't need to quarrel with customer support at a bad hosting service. The best dnn hosting service must be setup on latest windows server system and up to date hardware production. Network must be safe and clean with good protection over common attacks.

If you have extremely high requirements to performance and security, powerdnn might be the right place because their team members are actually dnn developers and work for DNN official! if you need budget choice, you might check out winhost who's dedicated in windows hosting service.

Best 6 Tips in Securing your Drupal Website

6 tips in securing drupal site

Drupal is recognized one of the most scalable and secure web development platform. There're milliions of global users and developers rely on it for various website purpose. The drupal core is already a well developped and safe system. Security issues are mainly from user end during operation process. Based user experience and professional suggestions, we carry out the following 6 tips in securing a drupal website.

Keep updated and backup regularly

The simple but crucial requirement. The drupal project is pretty active and provides frequent updates. Just follow this official guidance to update your drupal core to latest release. Since all drupal site date is stored in mysql database, so pay extreme attention to it.

Backup is also a MUST. As drupal official suggested, we should generate a backup before any update/upgrade in case anything goes wrong. Especially when you operate a business site that includes a lot of sensitive data, you should back up more frequently, probably schedule a daily solution.

Use a safe theme

Drupal is safe, but not all drupal themes are! There're tons of official and non-official drupal themes for different website requirements. We must use a trustable theme resource. A high quality drupal theme is not just able to beautify the website layouts but also come with professional and safe code design. Everything is tested and optimized before final release to make sure end users can use it safely. Those cracked or less trustable themes should be avoided for any reason.

Proper file permission

This refers to hosting account configuration in control panel. Make sure to set the correct file permission by following this official guidance. You can also configure to following recommended settings directly

/default on 755
/default/files including all subfolders and files on 755
/default/themes including all subfolders and files on 755
/default/modules including all subfolders and files on 755
/default/settings.php and /default/default.settings.php on 644

Incorrect permission settings will bring bit potential issues because hackers are very diligent in finding our website bugs.

Strong password

Strong password is always suggested for all drupal sites. Not just for website password but for its backend mysql database and ftp password too. We should also pay attention to different website user accounts and make sure they get correct rights.

Sign up a protection service

Regulary scanning of our drupal sites can greatly reduce hacking opportunites. A trustable third party service can simplify the process by automatic schedules. From lots of drupal professionals experience, mollom is highly suggested by them. Especially for drupal sites that come with frequent interaction between the readers and authors, the mollom solution provides side by side protection such as the following

  • Blocks spammy comments on any node, articles, pages, forum topics etc.
  • Blocks contact form Spam.
  • Protects the original user registration/subscription from fake user accounts.
  • Protects user’s password request form

Use a reputable drupal hosting

A safe and drupal compatible hosting service is a must to power a successful site. Unlike many other open source cms softwares, drupal works a little different and requires extra server support to get everything working properly. Leading drupal hosting plans always provide newest server and customer support. They have great FAQ and video tutorials in using the software professionally