Tools aid the webmaster in securing and testing the website. The programs available depend largely on the type of website but there are several general tools that can be used.

Websecurify is one of those tools. It is an open source program that is available for Windows, Linux and Macs.

Webmasters who run it can test a website against a fixed set of known security vulnerabilities and issues that the program will display in a report if found.

The program is extensible which means that it is possible to extend the functionality with add-ons. The project website contains documentation for that feature.

Webmasters who want to use the program right away need to click on the launch test link in the main interface. This opens a configuration window where a website url has to be entered into the target form.

A report window is shown with all issues that have been found. A short explanation is displayed in the report window but it is generally required to research the issues found further.

Websecurify comes with tools like a basic web browser or error console that can be helpful in the analysis and research of issues.

It takes some time until the program finishes a website security test completely. The window sometimes was not responding to user input during that time but recovered from that eventually.

Websecurify can be downloaded from the software’s Google Code page.

All of this can have consequences for the webmasters. Search engines can punish websites who manipulate rankings, advertisers can kick webmasters and security software and scripts can flag a website to be malicious.

Unmask Parasites is one web based security script that can scan a website for hidden content that might be an indicator that the website was hacked or manipulated by someone else.

It works without registration. All the user needs to do is to enter a url in the search form and let the script do the rest. The script will display a ranking like “This page seems to be clean” listing all the external references – scripts and links – that it founds on that page.

Webmasters can follow those references and let the script analyze them as well or perform additional tests on the website. The two additional tests are the following:

• Finding infected web pages using Google. This is done by using the site parameter in combination with popular spam keywords.
• Display Google’s Safe Browsing rating for the website.

These tests can aid the webmaster in spotting hidden malicious links in a timely manner. It is possible to bookmark the test page and open it again which will initiate a new scan of the website.

I use it mainly to secure certain directories on my websites from being accessed without the proper authorization. This is the admin directory in the case of WordPress for instance but could also be used to secure a directory that hosts some valuable files.

I would like to point out two possibilities that secure a directory with .htacess. The first is to protect the directory by only allowing users with a certain IP or IP range access to it. Everyone else would receive an access denied error message.

The second possibility would be to create usernames and passwords that have to be supplied before accessing the content.

IP Protection:

Create a .htaccess file and add the following code to it:

AuthName "Protected Content"
AuthType Basic

order deny,allow
deny from all
#Comment
allow from 255.255.255.255


Change the IP address in the last line to the one used by the user / users. You can use wildcards * if the user is receiving dynamic IPs from his ISP. It is possible to add as many allow from lines to the .htaccess file as you want. Place that htaccess file in the directory that you want to protect. (all subdirectories are affected as well.

The problem with this kind of protection is twofold. If your IP changes, say you are on holiday or accessing from a different location, you need to add or change the IPs in the htaccess code. Users who happen to have a IP of that range can access the content without problems. This is usually a user from the same ISP.

A more secure protection is the basic auth protection.

Password Protection:

Whenever a user tries to access a directory or file a popup will appear asking the user for a username and password. This method requires two files, a htaccess file and a htpasswd file. The htpasswd file stores the usernames and encrypted passwords and should be placed outside of the root directory of the website.

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
require valid-user

Since the passwords are encrypted you need to use a script to do that. A working one is the htpasswd Content Generator. Just enter a username and password and click on encrypt. Paste the line on the results page into the htpasswd file and place it exactly in the path that you specified in AuthUserFile.

It is possible to combine both protections for added security. I would begin by evaluating if your webhost is allowing those kind of files.