Webasyst security tips

Useful hints on increasing the security of the installed Webasyst framework scripts


1. Change the backend access URL

By default /webasyst/ is used to access the backend, but you can easily change this. To do so, simply add the following line to configuration file wa-config/config.php:

'backend_url' => 'admin',	// this will make the backend accessible at /admin/

You can use any other string instead of 'admin'.

It is also possible to have a dynamically generated backend URL; e.g.:

'backend_url' => 'admin'.date('d'),

date('d') returns the day number of the current date; for example, on June 8 it will return 08. Thus, your backend would be accessible at /admin08/ on that specific day.

2. Change the user password hash generation function

The framework does not store user passwords. It does store their hashes instead. To ensure compatibility with other software systems and previous generations of WebAsyst applications, the framework utilizes md5($password) as the hash generation function by default.

Modern GPUs are capable of relatively fast password brute-forcing using md5-generated hashes which means that, if your users' password hashes get leaked, many passwords can be compromised.

As of framework version 1.0.8 there is a possibility to assign a custom password hash generation function by adding declaration of function wa_password_hash() at the end of file wa-config/SystemConfig.class.php, for example:

function wa_password_hash($password)
    return md5(sha1("S!aL:T1%(#".$password)."_s+A=lT,2?*");

Strings S!aL:T1% and _s+A=lT,2?* in the above example are called "salt". You can specify your own values instead of the ones shown in the example. Adding a "salt" makes hashes more resistant to brute-force cracking.