1  

Javascript / SQL injections would be the first thing I'd safeguard against. Also keep in mind that there are possible holes if you let users upload files to the site. Also be wary of admin control panels (CPanel, etc) as they could be targeted to acts of brute forcing.

Javascript / SQL注入将是我要防范的第一件事。还要记住，如果你让用户上传文件到网站上，可能会有漏洞。还要注意管理控制面板(CPanel等)，因为它们可能针对暴力强迫行为。

2  

If you use any 3rd party libraries, make sure to be a subscriber to their news listings, and try be informed of their security notices.

如果您使用任何第三方库，请确保是他们的新闻列表的订阅方，并尝试被告知他们的安全通知。

I saw an entire server taken out by a vulnerability in a 3rd party PHP library once which really was not pleasant. This may seem obvious, but you'd be surprised the majority of people don't do this, which is why the invasions are so effective. :)

我曾经在第三方PHP库中看到过一个被漏洞破坏的服务器，这真的很不愉快。这似乎是显而易见的，但你会惊讶于大多数人不这么做，这就是为什么入侵如此有效。:)

1  

• http://php-ids.org/
• http://php-ids.org/
• http://pixybox.seclab.tuwien.ac.at/pixy/othertools.php
• http://pixybox.seclab.tuwien.ac.at/pixy/othertools.php
• Lots of reading on security papers
• 大量阅读安全文件

0  

If you don't have the skill/resources to do your own security testing, I would recommend WebInspect. I am not sure of the price, but this is the best tool I have tested for web security testing. A lot of tools such as Nessus won't really help in your case, because they are looking mainly at known flows in the web server or in known packages.

如果您没有能力/资源来进行自己的安全性测试，我建议您使用WebInspect。我不确定价格，但是这是我在web安全测试中测试过的最好的工具。许多诸如Nessus之类的工具对您的情况并没有多大帮助，因为它们主要关注web服务器或已知包中的已知流。

0  

Ratproxy :

Ratproxy:

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

这是一种半自动化的、主要是被动的web应用程序安全审计工具，通过观察复杂web 2.0环境中现有的、用户发起的流量，对潜在的问题和与安全相关的设计模式进行精确和敏感的检测和自动标注。

Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.

检测并确定安全问题的主要类别，例如动态跨站点信任模型考虑、脚本包含问题、内容服务问题、不够的XSRF和XSS防御等等。

You use ratproxy while you use application as normal and it highlights potential security flaws.

您在使用应用程序时使用了ratproxy，它突出了潜在的安全性缺陷。

0  

I will start from the second question. To void security holes on your website you have to follow several steps:

我将从第二个问题开始。要消除你网站上的安全漏洞，你必须遵循以下几个步骤:

1. If you use open-source CMS (like Joomla, Drupal or others) keep it up to date. Also update 3rd party components, modules, etc. on a regular basis (as soon as possible). This is probably the most important step.
2. 如果您使用开源CMS(如Joomla、Drupal或其他)，请保持它的最新。定期(尽快)更新第三方组件、模块等。这可能是最重要的一步。
3. Install secure FTP client (like WinSCP) and use most secure connection
4. 安装安全的FTP客户端(如WinSCP)并使用最安全的连接
5. Change all your FTP passwords. Use strong passwords.
6. 更改所有FTP密码。使用强密码。
7. Change logins the administrative backend at your site
8. 更改站点的管理后端登录
9. Check .htaccess file permisions and contents. Get this file if you haven’t used it before.
10. 检查。htaccess文件的权限和内容。如果您以前没有使用过这个文件，请将它获取。
11. Ensure you don’t have any forgotten php file browsers in your web folder.
12. 确保web文件夹中没有忘记的php文件浏览器。

Now, if you want to test website security there are number of free and open source tools. I’d recommend starting with w3af – it’s a comprehensive website audit framework. However, you will have to play with it a little bit. A lot simpler is websecurify. If you just want to have quick results use websecurify. I found a blog post describing the most popular free website security testing tools.

现在，如果你想测试网站的安全性，有很多免费和开源的工具。我建议从w3af开始——它是一个全面的网站审计框架。但是，您将不得不使用它一点。更简单的是websecurify。如果你只想要快速的结果，请使用websecurify。我发现了一篇描述最流行的免费网站安全测试工具的博客文章。

However, if you’re a complete novice, I would recommend ordering a website security test from a professional. Check for example webyfly.com.

但是，如果你是一个完全的新手，我建议你从专业人士那里订购一个网站安全测试。检查例如webyfly.com。

0  

1. In response to Robert Mirek answer - I would not recommend CMS updates as a default. Updating is not always effective as new versions tend to come with new, yet to be patched, exploits. The main problem here is not the even version itself but all the plug-ins (or extensions or modules) that need to be updated and with every such update the chance for vulnerability grows. Wait a few days and read a round before updating, you`ll save yourself a lot of problems.

   对于Robert Mirek的回答，我不建议将CMS更新作为默认设置。更新并不总是有效的，因为新版本往往会出现新的版本，而不是被修补。这里的主要问题不是偶数版本本身，而是所有需要更新的插件(或扩展或模块)，并且随着每一次这样的更新，出现漏洞的机会会增加。等待几天，在更新之前阅读一遍，你会省去很多麻烦。

2. Regarding site security check. The question should be more specific. What are you worried about (SQL injection, Illegal access, XSS, scraping? ) Some attacks can not be avoided (i.e. botnet DDoS) and must be absorbed via 3rd-party solutions, others can be mitigated with WAF.

   关于现场安全检查。这个问题应该更具体。您担心什么(SQL注入、非法访问、XSS、抓取?)有些攻击是无法避免的(比如僵尸网络DDoS)，必须通过第三方解决方案加以吸收，而其他攻击则可以通过WAF加以缓解。

I work for a security company (Incapsula) and after seeing and reading alot about the subject I can tell you one thing - checking is almost irrelevant, if you are not behind a strong WAF and Cloud based DDoS mitigation platform, you are not secured.

我在一家安全公司(in荚膜)工作，在看到并阅读了大量关于这个主题的文章后，我可以告诉你一件事——检查几乎是无关紧要的，如果你没有使用强大的WAF和基于云的DDoS缓解平台，你就没有安全可言。