Logaholic.com Home  |  Knowledge Base  |  Support

Security

Security is an important consideration for two reasons:

1. Your website statistics data needs to be kept confidential, so steps should be taken to keep the data private.
2. Access to sections of the website should be restricted so that there is less chance of a security exploit. Logaholic is a robust application, but all servers need to have basic steps taken to reduce risk.


After installation
You should delete the /installation/ folder after the application install completes successfully. It is no longer required.

Passwords
Password-protect the Logaholic directory (folder) using the cPanel facility. This can be researched in the cPanel documentation that your host provides.

Passwords should be of more than 10 characters, and contain a mix of numbers, lower case letters, and upper case letters. Although your cPanel may accept symbols within a password, it may be better not to include them since many password situations will not allow them. A typical strong password will look like this: s73B67gF1EJ75k4

You can see that it is not related to anything found in a dictionary. It is bad policy to use a word that may be found in one, or to use the same password twice, ie somewhere else as well. Such a password cannot be remembered - but again, it is not good policy to use that type of pass. An unlimited number of these complex ones can easily be held in any password manager such as Keepass (open source) or Roboform (commercial).

A 'camouflage' directory name is another good method: here, we call the Logaholic folder something else entirely. Instead of the folder being /logaholic/ as normal, we would call it /products/ or something similar. Then, attacks on the server cannot even locate the right folder. This does not affect the operation of Logaholic, and the directory name can be changed at any time.

It is necessary to point out clearly here that Logaholic is NOT a vulnerable application and in fact is very robust. However, security is a vital consideration now that attacks on servers are taking place at unprecedented levels. A secure server is a much safer home for your online business.

Ultimate security
For sites attacked regularly, for additional peace of mind, the folder can be locked by htaccess to any named IP or IPs. This means that only a permitted IP can access the folder in any way. This is perhaps going further than necessary, but is an option for those sites in market areas where they will receive a high level of probes and attacks. You could take the viewpoint that little or no security is really needed; on the other hand, a secure server may be a good idea for any business. With more security comes more likelihood of minor annoyances in daily operation, but many will be willing to put up with that.

To use the htaccess method, you create a plain text file called:
logaholic.htaccess.txt

This is then uploaded by FTP to WITHIN the Logaholic folder. Don't place it out in the webroot, that will block the whole site to everyone except you :)

Then, rename the file to .htaccess, this sets it live. Note that is DOT-htaccess. It cannot normally be created on a PC, using the correct name, because Windows does not allow this type of filename.

The file blocks access to any IP except those listed. You should put in (a) the server IP, (b) your office IP, and (c) your home IP. Here is an example:

# htaccess for yoursite.com logaholic directory
# deny all except those indicated here
# allows the server itself - office IP - home IP
<Files *>
order deny,allow
deny from all
allow from 212.83.341.43
allow from 88.137.680.626
allow from 88.478.37.29
</Files>

You can see that this script blocks out anyone except the 3 IPs listed. Any line starting with a hash / gate symbol is ignored by the server. If your IP changes, you will have to edit your local copy of the file, then overwrite the server copy - or you'll be locked out. This of course is how we test it at first: put in the wrong IP and you should be locked out with a 403 error. If you aren't, then the script needs adjusting.

Don't be tempted to change the order & deny wording in any way (unless the script doesn't work on your particular server of course). We've seen variants of this that DON'T WORK. Simply test it by uploading it without your IP, then with your IP. If you're blocked, then allowed access - it works. Don't forget -- only place this IN THE LOGAHOLIC FOLDER.

Use a secure browser
Some browsers are much more secure than others, and it may be better to use Firefox or Opera than more common choices.


Security is a headache but the alternative is worrying - so you must choose.