Question 1

How to install SQLite for PHP on a Apache/Nginx server

Accepted Answer

SQLite is a very popular & fast relational database that is designed to be embedded within software applications. If your server does not already have the SQLite drivers for PHP, please follow the guide below:

|| If you are using a cPanel based server, follow this guide.

Step 1 - Install SQLite3 on your Linux server

First login to your server via SSH and update your package list:

sudo apt update

Now install SQLite:

sudo apt install sqlite3

To verify the installation, check the software’s version:

sqlite3 --version

You should see an output like this:

3.37.0 2021-12-09 01:34:53 9ff244ce0739f8ee52a3e9671adb4ee54c83c640b02e3f9d185fd2f9a179aapl

Step 2 – Install the pdo_sqlite module for your PHP version

sudo apt-get install php-sqlite3

If the above command does not work, you can try the PHP version-specific instructions below:

For PHP5.x, use sudo apt-get install php5-sqlite
For PHP7.0, use sudo apt-get install php7.0-sqlite
For PHP7.1, use sudo apt-get install php7.1-sqlite
For PHP7.2, use sudo apt-get install php7.2-sqlite
For PHP7.3, use sudo apt-get install php7.3-sqlite
For PHP7.4, use sudo apt-get install php7.4-sqlite
For other PHP versions, use sudo apt-get install phpX.Y-sqlite after replacing X.Y with your PHP version number

Step 2 – Restart Apache/Nginx

To enable these modules for PDO usage, we will have to restart Apac

Question 2

How to add missing HTTP Security Headers

Accepted Answer

Most modern browsers ships with a built in XSS filter. However this setting could be turned off by default. Including the X-XSS-Protection header forces this filter to be enabled, thus providing additional protection against Cross Site Scripting attacks.

Missing Strict Transport Security header means that the application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user’s network traffic could bypass the application’s use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process.

Missing Content-Type header means that this website could be at risk of a MIME-sniffing attacks.

Steps to Fix

Q: How to create a phpinfo page

You can view your server configuration by creating a phpinfo file. The phpinfo page will provide information about the server configuration, PHP version, installed modules, environment variables, OS information etc. <h2 id="howtocreateaphpinfopage">How to create a phpinfo page</h2> <ol> <li>Open the File Manager in your Hosting Control Panel, or connect to your server via SSH or FTP</li> <li>Navigate to the folder where your website files are there. On shared hosting servers, it is usually <code>/home/USERNAME/public_html</code> and <code>/var/www/html</code> in VPS servers.</li> <li>Create a new file: <code>phpinfo-70ccde79-e6b8-497b-8ca4-8031a015fe3a.php</code></li> <li>Edit the file, and save the following code inside it:</li> </ol> <pre><code>&lt;?php echo phpinfo(); ?&gt; </code></pre> <ol start="6"> <li>Once you've uploaded this file to your server, visit the page in your browser by entering <code>example.com/phpinfo-70ccde79-e6b8-497b-8ca4-8031a015fe3a.php</code></li> </ol> ||| We strongly recommend to delete this file after use, as it contains highly sensitive information <img src="https://storage.crisp.chat/users/helpdesk/website/2e017d0dc14f2800/image_2bb34h.png" alt="" />

X-XSS-Protection

For Apache, it is recommended to use the protection provided by XSS filters without the associated risks by using the following code to .htaccess file:

# X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

For Nginx, add the following code to the nginx configuration: add_header X-XSS-Protection "1; mode=block";

Strict Transport Security

The application should instruct web browsers to only access the application using HTTPS.

To do this, enable **HTTP Strict Transport Secu

Question 3

How to create a phpinfo page

Accepted Answer

You can view your server configuration by creating a phpinfo file. The phpinfo page will provide information about the server configuration, PHP version, installed modules, environment variables, OS information etc.

How to create a phpinfo page

Open the File Manager in your Hosting Control Panel, or connect to your server via SSH or FTP
Navigate to the folder where your website files are there. On shared hosting servers, it is usually /home/USERNAME/public_html and /var/www/html in VPS servers.
Create a new file: phpinfo-70ccde79-e6b8-497b-8ca4-8031a015fe3a.php
Edit the file, and save the following code inside it:

<?php echo phpinfo(); ?>

Once you've uploaded this file to your server, visit the page in your browser by entering example.com/phpinfo-70ccde79-e6b8-497b-8ca4-8031a015fe3a.php

||| We strongly recommend to delete this file after use, as it contains highly sensitive information

Question 4

Content Security Policy - All you need to know

Accepted Answer

What is Content Security Policy?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.

Unsafe Inline or Unsafe Eval

Inline JavaScript and CSS are often used on websites but they are also dangerous. They’re the easiest way for a hacker to create an XSS attack. Therefore, to allow them you must add 'unsafe-inline' to the directive you want to allow them for. This is to make sure you understand, what you’re doing isn’t recommended.

A common CSS pattern is to inline your most important CSS that renders your ‘above fold content’ with <style> tags. This can help decrease the perceived rendering time. With HTTP/2, it can be argued against doing this as it tends to be slower. If you do choose to use inline scripts, you have three options.

Get a SHA-256 hash of the script & a

Question 5

How to re-connect the Website Protection plugin on your site

Accepted Answer

If the Astra Dashboard is not able to connect with the Website Protection plugin installed on your website, you may see a warning in your dashboard. This means that when you take any action on the Astra Website Protection Dashboard, it will not get synced with the plugin and the changes will not take affect immediately.

To re-connect your website, you can try the following steps. After performing every step, please retry the connection from your dashboard to verify it.

Plugin Disconnected Warning

Step 1 - Enter a new Activation Code

Navigate to the Settings page for the website where you see this warning
Scroll down and click on the Re-install Astra button
Before we re-install the plugin, let us first try to resolve the issue by entering a new Activation Code. Click on Show Activation Code to generate a new code.
Visit the Activation Page URL as shown in the dashboard & enter the new Activation code. The URL will be similar to example.com/?astraRoute=api/login
Now come back to the Astra Dashboard, and click on the Retry button in the warning screen. If you still face an error, try the next step.

Generate New Activation Code

Step 2 - Update to the latest plugin

Since entering the Activation code did not work, let us try to install the **latest

Question 6

How to block or trust an IP address, range or country from accessing your website

Accepted Answer

With Astra Website Protection, you can control who can access your websites based on the follwing:

IP Address (IPv4 & IPV6)
IP Range (IPv4 & IPV6)
Country
Other HTTP parameters (using Security Boosters)

||| If you create a block rule, then the visitors will be shown a "Access Restricted" page. For trust rules all security checks are disabled, so use sparingly.

How to Block or Trust an IP address or IP range

In the Astra dashboard, go to the Threats page for your website
Scroll down to the Trusted & Blocked List & click on Block/Trust IP button
Select Trust/Block IP Address
Enter the IP address in IPv4/IPv6 format OR the IP Range in CIDR format
You can enter a Note which will help you remember why you created this rule
Now select the action you want to take. Select either Block, or Trust.
Click on Add Rule to activate the rule

How to use a CIDR range?

CIDR is an industry used notation for IP ranges. You can specify the ranges as per the following:

A range of IPv4 addresses, in CIDR block notation. For example, 203.0.113.0/24
A range of IPv6 addresses, in CIDR block notation. For example, 2001:db8:1234:1a00::/64

Learn more about CIDR

Frequently Read Articles

Browse All Categories