Security

  • File Permissions

  • Using SSL

    This page will be amended. Getting an SSL certificate There are a small amount of universally recognized SSL signing authorities. However they have dozens of resellers who resell the same certificates cheaper as if you buy them from the source. So shop… more »
  • Exposing PHP Errors to Visitors

    Best practices recommend you do not show any technical error messages to users because if they are malicious, those error messages can help them gain knowledge about the technical details of the server and help them refine an attack strategy. Thus we r… more »
  • Crumbs (nonces)

    Principle The goal of crumbs is to prevent a hacker from being able to blindly carry out actions on your blog by tricking you into clicking on a link. For example, let’s suppose a hacker sends you an email containing a link saying "click h… more »
  • mod_security

    mod_security (http://www.modsecurity.org/) is a PITA. We do not recommend its use. However, you may have this module forced on your by your webhost. Please tell us who your webhost is so we can make a list. mod_security will scan requests in the most… more »
  • .htaccess and sample.htaccess Files

    In addition to the main .htaccess File, b2evolution comes with several sample.htaccess files which you can (and actually should) rename to .htaccess in their respective folders. WARNING: Each sample.htaccess file is different. Do not copy one from… more »
  • Brute force password attacks

    b2evolution includes code to prevent brute force password attacks. By default, if an (existing) user account receives 10 wrong passwords within 10 minutes, that account will be locked for 10 minutes. When the account is locked, even a login with the… more »