Sunday, February 28, 2010

Basic Website Protection and Security Steps

Most people who have websites do not realize that it requires only a few simple steps to ensure some degree of security for your website and download products. No matter what type of digital product you're selling on the Internet, it is critical that you review your digital delivery method to make sure people aren't walking away with your products. A few lost sales may not seem like much, but over time they can really add up to a substantial loss of revenue. There are a few steps you need to think about in order to keep those who have not paid from stealing something you've worked long and hard at creating.

The following are the most Basic Protection and Security Steps (BPASS) that anyone selling digital products online must take. These take only minutes to do and no special software or programming knowledge is required. Best of all, it costs you nothing to implement them.

BPASS-1

Most people who sell digital download products store their downloads as PDF documents. Nearly all search engines can read and list PDF documents. This means that you must never save or upload a product you want to sell as a PDF file. Many search engines can also convert the PDF files into HTML documents. This means these browsers not only have access to download your PDF file,but can also download your source file as well.

A simple way of keeping your files out of the reach of search engines is to upload them as a zip file. Search engines cannot currently look inside zip files to list their contents. You can use many free programs like WinZip to create a Zip archive. You can hide your digital product, ebook in the ZIP archive. Search engines typically do not go near any file with a .ZIP extension.

BPASS-2

All web servers are configured to display a default page for a directory if a default file exists. That is how your home page is found when someone simply enters a domain name for the URL for a web site and the home page is displayed. A server is configured to search a list of default file names and if it finds a match, it displays the page. The default files, index.* could be similar to what is shown below, where * is the index page extension.

index.htm
index.html
index.shtml
index.php

When someone goes to your site by typing in your URL, the index page is what they normally see first. This prevents viewing other pages or files you may have in the root directory. What your visitor actually sees in this case is your home page.

The other directories(sub-folders) on your website, the ones below your root directory, which is typically called "public", or "public_html", do not normally have this index page. If the index page is not there, your visitor may be able to view every web page or file you have in that directory. A folder without an index page is open and everyone can find your product and download it if they search for it. You thus should create an index page for all your folders. This is especially important for your download directory.

The index page can be used in any directory on a web site except those directories that already utilize an index page or default page. This includes the root directory. Never place one of these files in the root directory, never overwrite an index page or default page that already exists and never place an index page in a directory where another index page or default page already exists.

A basic index.* page would have, at minimum the following:

The above basic index page would show a blank web page. Instead of seeing all the files that you have in the sub-folder, they would simply see a blank web page.

If you want, you can put some text or graphics between and tags.
You can add some text that perhaps says: "Internal server error. Please contact system administrator."

The text will give the impression that the person trying to get into your site, caused some type of server error and so will hopefully stop them from going any further. The modified index page is shown below:

You can also take the index web page one step further. You can redirect spying eyes from your website directories back to your home index page in your root directory. You can use what is called a "meta refresh" tag. The tag looks like the following:

META HTTP-EQUIV="refresh" content="0;URL=http://www.yourdomain_name"

You would replace "yourdomain_name" with your actual domain name or whatever URL you would like to put there.

The following shows the index page with the meta refresh tag:

In the meta tag, the page refresh has been set to zero (0) seconds, which is just short enough for redirecting to the specified URL.

If you are using an index page with the meta-refresh tag only, then instead of someone seeing a blank web page, they actually get re-directed to your Home page. If this was a casual surfer who just happened to end up at your website by mistake, then they will find themselves on your Home front page, and, you might end up getting a customer, a good side benefit of the index.html page with meta-refresh tag.

Please don't forget that If you do not create an index.htm or index.html file, etc., you'd be allowing everyone to directly access the root directory of the folder where you store your downloads and cause you loose of potential income.

BPASS-3

You can easily stop search engines from indexing your web pages. An indexed web page means anyone can find it on the internet when they do a search. This disallows search engine spiders from reading and listing the download pages that link to your products. This must be on your download page(s) and any other web page that you do not want indexed for one reason or another.

On the web page, between the and [head] and [/head] tags, add the following “Robot” tag.

The tag prevents search engine spiders from reading and listing the download pages that link to your eBooks. This "Robot" tag tells the spider that this page is not to be spidered or indexed. As a result it should never show up on a search.

BPASS-4

Search engines scan only two levels down your domain; try keeping your downloadable product three or four levels down;
– for example, www.mydomain/directortyA/directoryB/directoryC/download file.

BPASS-5

Make sure to name your download folders and files with strange names and change them often. Don't use common names like downloads.htm or thankyou.htm, as someone could go to the search engines and easily find your documents in this way.

Change your download links frequently. To prevent unscrupulous people from posting your download links on forums or message boards, change the folder or file name where you store them from time to time, even if it means having to change the download links in your merchant account.

BPASS-6

Protect folders by permissions, directory and script file permissions.

A variety of files and directories in your website need to be given the correct permissions to work properly. Giving permissions to files or directories in the Unix world is called CHMOD (change mode). Chmod is a Unix command that lets permission levels be assigned to each file or directory. The proper CHMOD is also needed to help you with your website protection and security.

The following are the basic file permissions:

Files: 644
Folders: 755 (with index page in it)
Images: 644
CGI scripts: 755
Php scripts: 644

Folders with CHMOD 755 must have an index page in it. By default, your public or public_html directory is typically set to CHMOD 755. With this setting, if a Web surfer connects to your website, the server will display either your home page (if a file with the name index.html, index.htm, or index.shtml, etc., exists) or a listing of all the files in that directory. This also holds true for any sub-folder in your domain, which is why you need an index page in every folder on your website.

Always make sure your folders are given 755 permissions (with index file in it) OR 711 permissions. 711 gives Access denied error. This permission setting will not show a file listing. If there is no index page, the Web surfer will receive a "Forbidden" error message.

The CHMOD capability depends on two conditions:

1) The server you are connected to must support the CHMOD command.
2) You must have access rights to change the attributes of that remote file or directory.

Make sure these two conditions are fulfilled.

The 644 Files permissions represents the permissions of your web pages. Suppose you have just finished modifying your web page and you did not want anybody to update or to delete it. Then, give the web page file permission CHMOD 444 and it will have this effect. This gives everybody, including the owner (user), only read capability. If the owner turns off the write permission, the file is protected from accidental or deliberate destruction.

You may have to set CHMOD 444 via your host CPanel in a browser. Make sure you check this out. If you entered your site via FTP, edit your web page file by adding a small change and then removing it. When you try to save the file, you should not be allowed to over-write it.
Once you have changed file persmission to CHMOD 444 on your web page, ensure that it still functions and runs properly. Whenever you need to edit your web page, simply change back to CHMOD 644, do your changes, and then change again to CHMOD 444.

Having to change file permissions everytime you need to edit a web page might feel a bit tedious. Preventing attacks to your website which could stop all traffic to your website, may be well worth the extra few minutes needed to edit a web page via the CHMOD command.

Summary

Using these Basic Protection and Security Steps will give you a good degree of satisfaction, knowing that you have taken the most basic steps to protect your digital valuables - and at absolutely no cost to you.

If you want greater security and more information on plugging the security loopholes in your website, please visit the following website:

http://www.websiteprotection.net

--