Securing site access on shared hosting


https://forum.kartris.com/Topic7003.aspx
Print Topic | Close Window

By thedrumdoctor - Fri 23 Feb 2018

For those using shared hosting who cannot implement IPrestrictions via their control panel or remote IIS access, then performingupgrades on a well known site using the Kartris install script from the storeURL can be quite risky, even if you do it at some ridiculous low-traffic hourof the day. Without restrictions to the URL during when the script is running,anyone who visits your store at the time you are running the script can seewhat’s going on.

If you’re running your own dedicated server then you willhave the freedom to lockdown via IIS before you invoke the install script, butfor those of us on shared hosting, our web.config file is our best friend.

For this to work, you will need a fixed IP address at thesite where you perform your Kartris admin.

Before uploading your new web.config file, add the following linesunder the <system.webServer> entry:


<!--Switch on/off IP security forwhole site-->
<security>
<ipSecurityallowUnlisted="false">
<clear />
<add ipAddress="your static IP address goes here"allowed="true" />
</ipSecurity>
</security>

When you upload your edited web.config file, only the IP addressentered will be able to access and run the script and anyone else visiting yourshop will see a “you do not have permission to access this….” message.

Once the install process has run you can stop the website, download theweb.config, comment out the code restricting IP address access and uploadagain.