Thread

We’ve recently completed a membership site, where once members register, they can edit information about their school. Our client is questioning where the site is secure. So my question is, should the following items be secured with SSL?
1. Member registration form (name, email, phone, select password)
2. The safecracker forms on the site that require member logins
3. The member login form
4. The EE control panel

Note: All the information being submitted is available to the public except the passwords.

Thank you.
Susan

Hi susanfw,

So my question is, should the following items be secured with SSL?

That is entirely up to your discretion. If the client feels it’s worth the cost of a certificate. However, I wouldn’t say it is standard practice.

Here’s a list of EE add-ons that can help implementing SSL if you decide to use it.

Let me know if you have any other questions!

~

Thanks for your response, Dan. Coincidentally, a 2nd site for this client (we’re using MSM) just got hacked. We ended up with content about Ambien on the site, and in the Google results. We followed all the recommendations in this forum, and of our host (Dreamhost), and it seems to be clean now. But I want this client to feel comfortable that the site is secure. We will go ahead and install the SSL cert if they want that, but am I correct that having an SSL certificate would not have prevented the site from being hacked?

Susan

Hi Susan,

Hacked is strong word with serious security implications. Are you sure you don’t mean Spam? Typically in the form of entry comments or forum posts that appear to be advertising?

Does the site accept member registrations? Do you have commenting turned on for entries? Is there a forum installed?

With that information, I can help you with some resources and add-ons that will make it more difficult for spammers to take advantage of the site.

but am I correct that having an SSL certificate would not have prevented the site from being hacked?

That is correct! SSL will ensure that the connection between the web browser and the server is encrypted, but spammers can still get through.

I look forward to your reply!

~

No, it wasn’t spam. We found the following code in our admin.php file just above the system path:

include('inc/lib/cache.php');

We removed cache.php, css.php, png.js, as well as several other files that looked suspicious.

Two of the pages of the site had content about ‘Ambien’, and the Google results mentioned Ambien as well. This is completely unrelated to out site content.

We are using MSM. The main site was infected. It has been online since March. The 2nd site is the registration site. It just officially launched 2 weeks ago. It was not infected, as far we can tell. Registration is an important function for the site, so it cannot be turned off.

The forum module is not installed. Commenting was not turned off on all channels. But it is now.

Our host (Dreamhost) isolated some suspicious files, and we have gone through the site carefully, removing a few other files that look suspicious. They also had us change our file permissions from 777 to 755 and 666 to 644.

We are uploading fresh EE files, and changed our hosting, FTP, and SuperAdmin passwords.

We checked these files as I saw mentioned elsewhere in the forum, and admin.php looked to be the only one infected.:
  * index.php
  * admin.php
  * system/index.php
  * system/expressionengine/config/config.php

If you think there is something further we should do, please let me know.
Susan

Susan,

Thank you for clarifying, and that is certainly worrisome.

They also had us change our file permissions from 777 to 755 and 666 to 644.

Which files did they have you change? Those permissions are completely acceptable if the host is configured properly.

Are there any other PHP based applications installed on the server besides ExpressionEngine? Even ones that aren’t being used?

~

Dan -
Dreamhost changed the permissions to the uploads directories, image directories, and template directories, and said we should always use 755 and 644, so we checked to see that everything used those permissions. They also said the following:

IMPORTANT NOTE: One or more of your users has been found to have a file or directory with fully open ‘777’ permissions.  This allows full read, write, and execute access to everyone on the server.  This makes your site vulnerable because if there is another user on your server that is hacked or malicious they could be looking to exploit other users with improper permissions.  You should always use the default ‘755’ permissions setting for directories, and ‘644’ for files.  The directories/files listed below have been reset to these values, but you must keep this in mind going forward in case this was a point of intrusion.

Our site only uses EE and add-ons. But we are on a shared hosting account, so we don’t know what else is on the server.

Susan

Hi Susan,

Our site only uses EE and add-ons. But we are on a shared hosting account, so we don’t know what else is on the server.

That is hard to say, for sure. It sounds as though dreamhost has properly advised you regarding the file permissions on those directories.

Those wouldn’t have been a angle to access admin.php though. Have you checked the permissions on index.php and admin.php as well?

With proper permissions, it very rare to have those files affected outside of FTP.

Is there anything else I can assist you with?

~

Dan - We’ve reviewed all of the permissions, and I think cleaned out all the malicious code.  It looks like we have everything under control now. We have Dreamhost doing a fresh scan now to check.

I appreciate your input.
Susan

Susan,

It’s been my pleasure! Thank you for your patience and explanations along the way.

If the host turns up anything else, please let me know.

Cheers!

~