"SearchEditors.com" would appreciate review (by Webnauts)

Webnauts · #1 (**permalink**) 06-16-2008, 09:14 PM

Myself with my Project Manager Marc, we have setup a social community platform, and we would appreciate very much, if you could give us a review for anything you think is important for us to improve.

It may be viewed here: Search Editors Community / Published News

Thanks in advance for your kind support.

John

amxfan · #2 (**permalink**) 06-16-2008, 10:55 PM

I am honored in being able to review your site.
I did see a few things that I was surprised to see.
I would like to start out by saying that it is an excellent blog / supportive site for your main site. Good / very useful content, well organized, but:

1. While viewing your source code I was surprised to see the amount of white space / empty lines. I was anticipating cleaner coding with better grouping of code.

2. Your description and keywords need to be completed.

3. While looking through your robots.txt file, I also tested for directory indexing and found it possible. One of the ones I tested was http://www.searcheditors.com/templates/

4. I have seen your favicon used on a different page. It may have been one of your pages, but I am not sure. Just something to think about if you want to use it as a favicon for your site.

5. On your 404 page, where you have "Pretty sure it's a website bug? Please let us know and we'll try to get it fixed." I would have added a link to a web form so people could let you know.

davebarnes · #3 (**permalink**) 06-18-2008, 12:53 AM

DON'T TELL ME HOW MANY CHARACTERS MY PASSWORD NEEDS.

My password is my password and if I want to use 3 letters, then please let me do so.

Webnauts · #4 (**permalink**) 06-18-2008, 01:05 AM

Quote:

Originally Posted by davebarnes

DON'T TELL ME HOW MANY CHARACTERS MY PASSWORD NEEDS.

My password is my password and if I want to use 3 letters, then please let me do so.

Too bad Dave. We are concerned about the security of our members. And that is a minimum we can provide.

Webnauts · #5 (**permalink**) 06-18-2008, 01:10 AM

Quote:

Originally Posted by amxfan

1. While viewing your source code I was surprised to see the amount of white space / empty lines. I was anticipating cleaner coding with better grouping of code.

We did not write the code. It is a pligg template which we are working on, to clean it up, improve its semantical structure and accessibility.

Quote:

Originally Posted by amxfan

2. Your description and keywords need to be completed.

If you are about SEO it is not required. Still we are planning to implement when we have the time.

Quote:

Originally Posted by amxfan

3. While looking through your robots.txt file, I also tested for directory indexing and found it possible. One of the ones I tested was Index of /templates

How can it be indexed if no link points to that folder. Do you possibly mean that it is browsed? If yes, we are going to disable it with rules in our .htaccess.

Quote:

Originally Posted by amxfan

4. I have seen your favicon used on a different page. It may have been one of your pages, but I am not sure. Just something to think about if you want to use it as a favicon for your site.

Can you be more specific where?

Quote:

Originally Posted by amxfan

5. On your 404 page, where you have "Pretty sure it's a website bug? Please let us know and we'll try to get it fixed." I would have added a link to a web form so people could let you know.

Good idea. Will be done.

Thanks for the kind review. Keep suggestions coming.

amxfan · #6 (**permalink**) 06-18-2008, 01:41 AM

Quote:

How can it be indexed if no link points to that folder. Do you possibly mean that it is browsed? If yes, we are going to disable it with rules in our .htaccess.

I think you're misunderstanding what type of indexing I'm talking about. I'm not talking about being indexed by search engines but a index / listing of that folder's contents. Alot of people look at the robots.txt file to see folders, then pluck in the address and look for exploits and to steal content. A quick fix, as I am sure you know, is just put a blank index.html in each folder.

Quote:

Can you be more specific where?

For the life of me I cannot remember where I have seen that image, but if I come across it again I will make sure to let you know.

amxfan · #7 (**permalink**) 06-18-2008, 01:48 AM

Found it!

http://blogious.wordpress.com/2008/04/20/smashing-feed-icons-by-fasticon/

This is one site that I saw it on, but there are more.

Webnauts · #8 (**permalink**) 06-18-2008, 11:56 AM

Quote:

Originally Posted by amxfan

I think you're misunderstanding what type of indexing I'm talking about. I'm not talking about being indexed by search engines but a index / listing of that folder's contents. Alot of people look at the robots.txt file to see folders, then pluck in the address and look for exploits and to steal content. A quick fix, as I am sure you know, is just put a blank index.html in each folder.

Thanks for the excellent tip!!! How could I miss that?

I just fixed the issue. But not with an empty html file. I did that server side.

About the favicon, it was a graphic of a template we bought and I use it on our platform. At some point when we have time we might will come up with another idea.

Keep suggestions coming! And a lot of thanks again.

**crankydave** · #9 (**permalink**) 06-18-2008, 02:54 PM

John...

Is this the pligg platform?

Dave

kgun · #10 (**permalink**) 06-18-2008, 03:04 PM

Isn't it a good enough comment that I have started even before this thread started yesterday, by linking to that site deep in my linkcollection

?

Webnauts · #11 (**permalink**) 06-18-2008, 05:02 PM

Quote:

Originally Posted by crankydave

John...

Is this the pligg platform?

Dave

Exactly. The latest Pligg version. But a lot of extra work have been required to get it at its present state. And there is still some work to be done. Otherwise it is very good. Though I am sure that my next projects will be Drupal based.

Webnauts · #12 (**permalink**) 06-18-2008, 05:03 PM

Quote:

Originally Posted by kgun

Isn't it a good enough comment that I have started even before this thread started yesterday, by linking to that site deep in my linkcollection

?

Hey thanks Kjell. Very much appreciated bro.

**crankydave** · #13 (**permalink**) 06-18-2008, 05:10 PM

Quote:

Originally Posted by Webnauts

Exactly. The latest Pligg version. But a lot of extra work have been required to get it at its present state. And there is still some work to be done. Otherwise it is very good. Though I am sure that my next projects will be Drupal based.

The reason I ask is that I got rid of pligg (have not even considered the latest version) because of nothing but problems on two different sites. I like the idea and am curious to see how it works out for you.

Dave

**wige** · #14 (**permalink**) 06-18-2008, 05:16 PM

Looks pretty good. Only suggestions I would have are:

If possible in your server configuration (or .htaccess if this is a shared server) set the ServerToken to Product Only. This will prevent the forbidden message and the server headers from displaying the version of Apache you are running.

I see you blocked the /templates/ directory as suggested by amxfan. However, it may still be possible to guess file names and use other (possibly yet undetected) vulnerabilities to execute files in that area. May I suggest, remove the /templates/ and other sensitive directories from your robots.txt file, and replace the 403 Forbidden response with a 404 Not Found? This can be done by removing the allow/deny rules you added to .htaccess, and replacing them with:

RedirectMatch 404 /templates/.*

This will cause your server to display your customized 404 error page instead of the current static 403 forbidden message. It should be friendlier if a user does get to that folder by mistake, and should also help with security by hiding the folder.

Webnauts · #15 (**permalink**) 06-18-2008, 05:22 PM

Quote:

Originally Posted by crankydave

The reason I ask is that I got rid of pligg (have not even considered the latest version) because of nothing but problems on two different sites. I like the idea and am curious to see how it works out for you.

Quote:

Originally Posted by crankydave

Dave

I have tried Pligg some months ago and I had problems too. But it was still Beta. This time I must admit that they have done a lot of good work since then. I am sure you will like it now.

The most important thing is what another member mentioned above, to disallow browsing directories which are not for users/visitors and bots.

You can add an .htaccess file in each directory which doesn't have one, and then add in all of them the following rule:

Code:

Options -Indexes

Thats it. If you need some help to defend yourself from spammers, we got some stuff done already. If you need help there, I guess we are already experts. Or, let say I hope.

kgun · #16 (**permalink**) 06-18-2008, 05:28 PM

Last two comments tell me that we should invest more time in becoming Apache experts.

**crankydave** · #17 (**permalink**) 06-18-2008, 05:47 PM

Quote:

Originally Posted by Webnauts

[left]
I have tried Pligg some months ago and I had problems too. But it was still Beta. This time I must admit that they have done a lot of good work since then. I am sure you will like it now.

The most important thing is what another member mentioned above, to disallow browsing directories which are not for users/visitors and bots.

You can add an .htaccess file in each directory which doesn't have one, and then add in all of them the following rule:

Code:

Options -Indexes

Thats it. If you need some help to defend yourself from spammers, we got some stuff done already. If you need help there, I guess we are already experts. Or, let say I hope.

Thanx John. We did quite a bit of work also. Spammers were only part of the problem. Crashes, lost info, functions that didn't work or only worked part of the time etc.

I do like the idea but am going to take a bit of a "wait and see" before risking having to redo a lot of work again.

Dave