MageHost - A Cleaner Application is a Safer Application

Gewijzigd op Tue, 20 Dec 2022 om 01:04 PM

Disclaimer: MageHost has joined forces with Savvii. Therefore, these articles are only relevant to existing MageHost customers. For more information on this, visit www.savvii.com/en/magehost.  


We often see sensitive data files on public accessible web locations like within the web root (httpdocs). We understand it is a convenient way to download your own data, but it is unacceptable in terms of privacy, security and GDPR.

You may think nobody will find your secret files, but a hack or data leak is always uses multiple weak points in a row. For example a leak in an extension may allow an attacker to see the directory index of your webroot. If there are already database dump file ready to be downloaded, he has your full database within a few minutes.

Temporary files

Temporary files often contain sensitive information, for example customer details during an export. You can place temporary files in ~/tmp, this location can also be found in the environment variable $TMPDIR. The ~ points to your home dir in shell, this is the same as the variable $HOME .

PHP Info

Do not leave a file showing phpinfo() anywhere in the webroot. This would expose a lot of version numbers, installed software and setting which are all valuable information for hackers. I you really need to look up something, create a file with a hard to guess name, and remove it right after use.

PhpMyAdmin or Adminer

Don't upload any database editing tools in your webroot. If you want to use PhpMyAdmin you can read here how to use the one MageHost installed. If you can't live without Adminer, you can ask us to enable it.

Exports

Exports often contain sensitive customer data, price listings or trade secrets. You don't want to leak this data. We advise to make your exports in Magento's var/export export directory and download them using SFTP, for example FileZilla.

Database Dumps or Other Backups

Database dumps almost always contain secret settings, customer or trade data. Probably even on places where you don't expect it, like on development environments. Also these files are often quite big which takes up valuable SSD storage space. This is the reason every hosting account has a ~/backup directory which is stored on SAS storage. Please make your backups there and use GZip to compress them. You can download them using SFTP or SCP, for example FileZilla. Inside the ~/bin  directory we placed scripts to backup your files and database.

Backups of PHP Files

We understand as a developer you may want to be able to revert your changes or to see what you changed since last working version. Well, that is exactly what Git is made for! Git is available on all MageHost servers. Don't leave backups of PHP files lingering around, because often these are viewable as plaintext via the web. You may want to check your current live and staging hosting accounts for backups of PHP, XML, INI files etc.


Was dit artikel nuttig?

Dat is fantastisch!

Hartelijk dank voor uw beoordeling

Sorry dat we u niet konden helpen

Hartelijk dank voor uw beoordeling

Laat ons weten hoe we dit artikel kunnen verbeteren!

Selecteer tenminste een van de redenen
CAPTCHA-verificatie is vereist.

Feedback verzonden

We stellen uw moeite op prijs en zullen proberen het artikel te verbeteren