First of all, you should keep this in mind - there is no such a thing as a 100% secured system. Everything is relative. Having said that, there are things you can do to make your system better secured.

This guide summarizes various steps to secure your site with tips from both this site and the official Xoops forums. Majority of the tips have already been listed on this site, but not in a structured way. We are hoping the structured presentation of all tips, old and new, will provide a better grasp of security issues.



Choosing a Host

Many of us tend to diminish the importance of a good web hosting company and go with whoever offers the "best features" with minimum cost. You should put a lot of thoughts in selecting a host.

A good and reputable hosting company usually means good web security. As most of us do not have a budget for a dedicated server, you should pay special attention to the security of the whole server and other sites on the same server.

The securities of other sites and the server are just as important as the security of your site.

No matter how secure your site is, if the server has been compromised via other sites on the same server, all your efforts in the end may mean nothing in protecting your site.

One-man shop, resellers and small web hosting companies should be avoided if you can, as they generally don't have the resources or skills to properly manage and monitor your servers.

As web hosting increasingly being commoditized, web hosting is no longer a big expenditure. A good web host is worthy of the extra you paid.

The scarce part of web hosting is that nowadays, you could rent a server from large wholesalers such Everyone's Internet for $200 or less a month and become a web host overnight. As long as the resellers pay their fees, the wholesalers don't give a damn to the server securities.

When you choose a reseller, ask yourself this question, “does the host have the skills to properly manage the server?”

If your hosting company is located in UK but its servers are located in Texas, what would happen if your server were to break down? You would have to call your host, and then your host would have to call its host to sort the problems out. Hopefully you got the idea.

When you select a host, keep this in mind, "What you paid, what you get". If your site is important to you, don't settle with a $2 a month web host.


Installation - Choose a table prefix

During the installation process, choose a not easily guessable table prefix. Don't use the stock "xoops" table prefix. It is too easily for crackers to guess.

If you have installed your site with “xoops” default table prefix, you can use GIJOE’s Xoops protector module to change the prefix.


Post Installation

Once you have successfully finished Xoops installation, do not forget to remove the install directory and chmod mainfile.php. Leaving your installation directory unremoved and mainfile unprotected, you are openly inviting others to overwrite your previous installation and take control of your site. If they were to do malicious things using your site, you would end up be liable for any damages done.


Install Xoops Protector Module

Once you have finished the installation, the first module you should install is GIJOE’s Xoops Protector module. If you are serious about the security of your Xoops site, the protector module is a must for your site.

Xoops system is perhaps one of the securest CMS systems around. However, its core does have weakness that could potentially allow crackers into your site. This has been demonstrated by GIJOE, by far the biggest contributor of Xoops security.

Xoops 2.0.10 will incorporate some of GIJOE’s ideas. But the protector module is still highly recommended as it defends against attacks on both XOOPS core and modules.

The protector module can protect a various kind of attacks, such as DoS; bad crawlers or bot; SQL injection; XSS; system globals pollution; session hi-jacking; null-bytes; wrong file path specifications; CSRF (which is fatal in XOOPS <= 2.0.9.2).

For more information, please check GIJOE’s website:
www.peak.ne.jp/xoops/