• File Permissions

  • Using SSL

    This page will be amended. Getting an SSL certificate There are a small amount of universally recognized SSL signing authorities. However they have dozens of resellers who resell the same certificates cheaper as if you buy them from the source. So shop… more »
  • Exposing PHP Errors to Visitors

    Best practices recommend you do not show any technical error messages to users because if they are malicious, those error messages can help them gain knowledge about the technical details of the server and help them refine an attack strategy. Thus we r… more »
  • Crumbs (nonces)

    Principle The goal of crumbs is to prevent a hacker from being able to blindly carry out actions on your blog by tricking you into clicking on a link. For example, let’s suppose a hacker sends you an email containing a link saying "click h… more »
  • mod_security

    mod_security ( in a PITA. We do not recommend its use. mod_security will scan requests in the most "stupidest way" and block them. (We made tests with the OWASP core basic rules and they logged tons of false… more »
  • .htaccess Files

    In addition to the main .htaccess File, b2evolution comes with several sample.htaccess files which you can rename to .htaccess in their respective folders. Doing so will prevent direct execution of .php files, as an additional security precaution, in… more »
  • Brute force password attacks

    b2evolution includes code to prevent brute force password attacks. By default, if an (existing) user account receives 10 wrong passwords within 10 minutes, that account will be locked for 10 minutes. When the account is locked, even a login with the… more »