How do I secure my web site?

  1. Brute force dedection should be enabled.
  2. Cache directories should be secured.
  3. Captcha's should be enabled and required for anonym users to avoid spam.
  4. Code Injection should be prevented.
  5. Cookies should NOT be used to store passwords and sensitive data.
  6. CSRF should be prevented.
  7. Directory listing should be disabled.
  8. File Inclusion should be prevented. Use white-list/black-list and validation model.
  9. File uploads should be enabled just for authorized users.
  10. Firewall should be enabled.
  11. FTP Uploads for anonym users should be disabled.
  12. PHP system-shell functions(system, exec, dl, shell_exec,...) should be disabled.
  13. Register Globals for PHP should be set to off.
  14. Safe mode for PHP should be on.
  15. Sessions should be used for authentication.
  16. Session Fixation should be prevented.
  17. Session hijacking should be prevented.
  18. Source Code should be hidden.
  19. SQL Injection should be prevented. Use filters or install apache-modules like modsecurity or suhosin.
  20. Temp directory should be secured.
  21. XSS should be prevented.

Read this documents for detailed information:


use professional applications

use professional applications like drupal, joomla, wordpress, phpbb, vbulletin.

use secure frameworks like zend, symfony, cakephp etc...

seperate design and code, update your core system.

follow security news, bugs etc...

use hard passwords

secure your tool-directories like phpmyadmin etc

Don't use PHP (important)

Don't use PHP (important)

Not PHP ist the problem, but

Not PHP ist the problem, but the dirty coders ! if you can't code, use only HTML!

CAPTCHA is poor solution

Instead of bothering everyone with CAPTCHA you should implement something smarter.

Use bayesian filters and blacklists - there are open source projects with ready solutions. Or use Akismet/Defensio if you don't want to maintain one yourself.

For small sites there are tricks with CSS/JS that can replace CAPTCHA.

sql injections

Amateur coders use mysql_query() and try to assemble SQL queries by hand. Quoting the parts is often forgotten, that's where the problem comes from.
Professional programmers use PARAMETERIZED SQL instead. See PDO and ? parameters.

"Filters and Apache modules" are not a solution. Obviously providing newbies with magic_quotes and other workarounds, hasn't exactly led to better understanding. As showcased here.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <b> <pre> <h1> <h2> <h3> <h4> <h5> <h6> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <div> <style><img> <br> <blockquote>
  • Lines and paragraphs break automatically.
  • You may insert videos with [video:URL]

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the characters shown in the image. is a free online community for webdevelopers and beginners. Anybody can share their code, articles, tips, tutorials, code-examples or other webdesign related material on the site. Newbies can submit their questions and reply to existing questions. CW does not guarantee or warrant reliability of code, data and information published on the site. Use the site on your own risk. The site takes no responsibility of direct or indirect loss or any kind of harm to its users. The site also doesn't take responsibility of infected files or source code with any kind of infection or viruses, worms, spywares, malwares, trojan horses. CW reserves the right to edit, move, or delete any of content for any reason.