sddawson
05-11-2008, 04:55 AM
Sorry for the long post. I'm new to BH and also pretty new to hosting in general. It seems pretty hard for a beginner to get up to speed with BH. There are loads of individual entries in the BH Help Center and, of course, lots of forum entries. But finding answers can sometimes be like finding a bit in a terabyte - nothing really seems to summarise the important things a beginner needs to know, or provide any "best practices" info. I'd be happy to put such a thing together if I can get answers to the questions I have myself, and maybe others can add to the questions too. I think I represent the type of user that makes up a fair percentage of the BH user base. Want a web site, not interested in programming anything myself, and will probably use the likes of Joomla and Wordpress. So here we go...
Security
Obviously the security of a web site is paramount. The horror stories you read even on the forum are enough to make you want take your web site and run. So the following issues concern me:
Is "Error Logs" in cPanel a log for the whole server box? Seems to be a lot of traffic in it, and I was wondering whether anything in there could expose anything untoward.
Is the php.ini that's installed by BH really just a bare-bones, default one? What should really be changed in it? So far, I've read (at http://helpdesk.bluehost.com/kb/index.php?x=&mod_id=2&id=319) that you should change it so that error_display to set to ZERO. Looks to me like this is actually wrong, and you should set display_errors = Off. Am I right? Should anything else be changed?
Also, do you have to change every php.ini wherever it exists, assuming you have some subdomains and addon domains, or only put one in public_html?
Where exactly should php.ini exist?
I read at http://bluehostforum.com/showthread.php?t=8842 that it's important to hide php.ini. By default, you can go to yourdomain.com/php.ini and the browser kindly display the contents. So you should add
<Files php.ini>
order allow,deny
deny from all
</Files>
to .htaccess. Works fine, but I'm not sure whether you only have to do that in public_html for it to affect all domains.
Of course, this all begs the question as to whether BH should install a "hardened" php.ini & .htaccess in the first place that you can loosen if you need to, rather then the other way around!
Are there any similar security considerations after installing Joomla and Wordpress via SimpleScripts?
You can actually go to http://ftp.yourdomain.com and see a default BH starter web page (even though "ftp" isn't defined as a subdomain). I don't like broadcasting where my stuff's being hosted. Of course, I suppose I could define an "ftp" subdomain and stick my own page there, but I'm wondering why this happens.
How do you keep up with new releases of things like Joomla and Wordpress, since it's important to keep up to date with security fixes? Does a re-install via SimpleScripts just overwrite the previous install with the latest version? And is there a way to get notified of new releases?
SFTP seems to be the best way of securely uploading/downloading content, rather than FTP. But is it correct that you can only use SFTP for the main account, which rules out using it for an individual who looks after, say, just one subdomain?
BH's FTP server seems to automatically allocate correct file (644) and folder (755) permissions, but SFTP doesn't. Leaves permissions as whatever the source files are on the client machine. Couldn't this lead to some security exposures?
What's fastphp.ini that gets installed for? Any considerations for it?
Miscellaneous
If you want to use Wordpress for multiple blogs, am I correct that you simply install it multiple times into different subdomains? Ditto for Joomla for multiple web sites?
It confused me that php.ini, fastphp.ini and the various error pages get installed by BH in subdomains but not addon domains. Any reason for this? The php files aren't installed in public_html either. All seems a bit inconsistent.
I presume it's best to enable fast php via cPanel. This changes .htaccess in public_html. Is this the only place it needs to be changed, or in subdomain and addon domain folders too?
Well, that's a start. Again, sorry for the long post & the beginner questions that have each been asked before somewhere I'm sure, but hope this is a worthwhile exercise.
Steve
Security
Obviously the security of a web site is paramount. The horror stories you read even on the forum are enough to make you want take your web site and run. So the following issues concern me:
Is "Error Logs" in cPanel a log for the whole server box? Seems to be a lot of traffic in it, and I was wondering whether anything in there could expose anything untoward.
Is the php.ini that's installed by BH really just a bare-bones, default one? What should really be changed in it? So far, I've read (at http://helpdesk.bluehost.com/kb/index.php?x=&mod_id=2&id=319) that you should change it so that error_display to set to ZERO. Looks to me like this is actually wrong, and you should set display_errors = Off. Am I right? Should anything else be changed?
Also, do you have to change every php.ini wherever it exists, assuming you have some subdomains and addon domains, or only put one in public_html?
Where exactly should php.ini exist?
I read at http://bluehostforum.com/showthread.php?t=8842 that it's important to hide php.ini. By default, you can go to yourdomain.com/php.ini and the browser kindly display the contents. So you should add
<Files php.ini>
order allow,deny
deny from all
</Files>
to .htaccess. Works fine, but I'm not sure whether you only have to do that in public_html for it to affect all domains.
Of course, this all begs the question as to whether BH should install a "hardened" php.ini & .htaccess in the first place that you can loosen if you need to, rather then the other way around!
Are there any similar security considerations after installing Joomla and Wordpress via SimpleScripts?
You can actually go to http://ftp.yourdomain.com and see a default BH starter web page (even though "ftp" isn't defined as a subdomain). I don't like broadcasting where my stuff's being hosted. Of course, I suppose I could define an "ftp" subdomain and stick my own page there, but I'm wondering why this happens.
How do you keep up with new releases of things like Joomla and Wordpress, since it's important to keep up to date with security fixes? Does a re-install via SimpleScripts just overwrite the previous install with the latest version? And is there a way to get notified of new releases?
SFTP seems to be the best way of securely uploading/downloading content, rather than FTP. But is it correct that you can only use SFTP for the main account, which rules out using it for an individual who looks after, say, just one subdomain?
BH's FTP server seems to automatically allocate correct file (644) and folder (755) permissions, but SFTP doesn't. Leaves permissions as whatever the source files are on the client machine. Couldn't this lead to some security exposures?
What's fastphp.ini that gets installed for? Any considerations for it?
Miscellaneous
If you want to use Wordpress for multiple blogs, am I correct that you simply install it multiple times into different subdomains? Ditto for Joomla for multiple web sites?
It confused me that php.ini, fastphp.ini and the various error pages get installed by BH in subdomains but not addon domains. Any reason for this? The php files aren't installed in public_html either. All seems a bit inconsistent.
I presume it's best to enable fast php via cPanel. This changes .htaccess in public_html. Is this the only place it needs to be changed, or in subdomain and addon domain folders too?
Well, that's a start. Again, sorry for the long post & the beginner questions that have each been asked before somewhere I'm sure, but hope this is a worthwhile exercise.
Steve