By: Louis Datz
One of the reasons I host my websites at AppliedI.net (see: http://www.AppliedI.net) is because of their tremendous support for open source .net applications such as nopCommerce (see: http://www.nopCommerce.com). In return, I try and help streamline and secure my websites so that my customers will be happy, but also so that I also don’t place a drag or create security holes on AppliedI.net’s servers. Although it is AppliedI.net’s job to host my sites, I feel it is a symbiotic relationship for our companies to help each other solve issues regarding web sites. Years ago, I tried hosting sites myself and found out how difficult it is. The biggest problem I encountered was: SPAMMERS! Around the year 2000, I had set up a web server and email server and within a short period of time, I found that my web server was running out of disk space and my email server was being black listed. As far as my web server, a hole in security from FrontPage allowed people in Australia to create hidden directories that they were using for gaming files. As far as emails, I learned an expensive lesson about Open Relays. Since, I started hosting sites at AppliedI.net, I no longer had to worry about issues like spamming. Or at least I thought my troubles were over. The following article describes some helpful hints to prevent spammers from using your website to spam as well as a few other security and optimization tips.
Helpful links included in this article:
TIP 1: Preventing Spammers from using your nopCommerce site to Spam:
A number of years ago, many of my clients were asking to add Blogs to their sites. Being a developer, I’ve discovered that the best way to learn a product that my customers want to is use the product as if I were the customer. So, I installed a Blog Engine on my site and started writing. Not the best writer in the world, but, too my shock and delight, people were writing responses to my Blog! Of course, this excitement was short lived when I started looking at the responses. Something was strange. The responses were pretty generic. I was reading response after response that said something like, “Very informative” and “good job, keep it up”. My parents never even said those things to me. Then I was getting these responses to the tune of hundreds a day. Not sure if I coined the phrase, but I refer to these responses as Blog Spamming. I found a quick and dirty solution. The Blog Engine I was using had a place in the administrative section to enter a link for Disqus (see: http://www.disqus.com/). Disqus’ website allows the responses to your blogs to be handled by their filtering engine. You can easily filter out all the Blog Spammers and only post the replies that are legitimate.
So, a number of years go by. I haven’t had too many spamming incidents until recently. I noticed that the database for one of the nopCommerce (see: http://www.nopCommerce.com) sites I just developed and launched keeps growing every day. Hmm. That’s peculiar. We haven’t even promoted the site and there is not too much to it at this point. I look at the user table and I notice that hundreds of users are registering every day. I pat myself on the back for a moment and then I start looking at the users that are registering. They all have email addresses that have some pretty shady sexual names in them. Why would these people be attracted to this non-profit religious site? Apparently, this is a new form of Spam and, yet again, it involves Blogs. nopCommerce has a blog section and some unscrupulous people out there have figured out a way to register users on other peoples sites and send out email through the Blog section.
What to do? Being a developer, I’ve discovered that if I am having some sort of coding issue, chances are that other people are having the same problem. nopCommerce has a great Community Forum for looking up solutions to nopCommerce issues and asking for help. The answer to the problem of web bots creating users was reCAPTCHA (see http://www.CAPTCHA.net ) . A CAPTCHA program displays those annoying verification dialogues in which you have type in a couple of words that are hard to make out. From CAPTCHA.net “A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.”
Yes, I hate them too. But, they are built for the scenario described above. With a CAPTCHA program installed, most automated web bots can not register users by filling in basic information on a registration page such as name and email address. They are not fool proof but, they did solve my problem in this case. And, reCAPTCHA is free!
To set up CAPTCHA on your nopCommerce site:
- Sign up for a reCAPTCHA account at http://www.google.com/recaptcha/learnmore
- Add a new site so that you can retrieve a reCAPTCHA key (see: https://www.google.com/recaptcha/admin/list).
I chose my www.thecomputertailors.com for a Global Key so that I don’t have to keep adding keys for each site I develop. It’s up to you if you want to take this approach or add a key for each site you wish to add reCAPTCHA to.
Log in to your nopCommerce site as an administrator and go to the Configuration, Settings, General and Miscellaneous Settings.
- Click on the Security Settings Tab and enter in your reCAPTCHA Key.
- Check off Show on Registration and Contact Us page
NOTE: The latest version of nopCommerce has other options for other areas of your website where you can indicate reCAPTCHA such as the login page.
That’s it! Your site is now protected from unscrupulous people automatically registering email addresses for the purpose of spamming through your nopCommerce site.
Well almost. It is about 99% affective. For the sites I installed the reCAPTCHA keys on, I am satisfied with the results. If you want to get close to 100%, I found some HoneyPot code on the nopCommerce forum. It requires an extensive knowledge of how to customize nopCommerce, which I am not going into in this Blog. Basically, HoneyPot code slows down or traps people attacking your website or doing things like batch registration.
TIP 2: The Machine Key:
Another issue with my nopCommerce sites that I found a solution to on their forums was that I was getting kicked out when more than one person was logged in as an administrator. Plus, it was extremely slow in the administration section. The Solution, add a Machine Key to the web.config (see: http://aspnetresources.com/tools/machineKey).
After you generate a machine key from the link above, open your Web.config file and insert your machine key right under the <system.web> tag:
<machineKey validationKey=”X123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789″ decryptionKey=”123456789123456789123456789123456789123456789123456789123456789123456789123456789123456789″ validation=”SHA1″ decryption=”AES”/>
Note that I just made up a fictitious validation and decryption key. You have to get the keys from http://aspnetresources.com/tools/machineKey .
TIP 3: Other Web.config Settings:
I’ve known for a while that you should set DEBUG=”false” in the web.config file for speed improvement when I upload and deploy my websites at AppliedI.net. You will see dramatic speed improvement on your live sites with this little tip. One configuration setting which I was not aware of until recently was to set trace off.
<!–<trace enabled=”true” pageOutput=”true”/>–>
<trace enabled=”false” localOnly=”true”/>
This was yet another tip that I picked up from the nopCommerce support forum. A great link for the dos and don’ts of the web.config file, which I think every .Net developer should book mark, was also supplied in the forum post was the following:
About the Author:
Louis Datz – Owner of The Computer Tailors, Inc., a computer consulting/custom software developing company in Boca Raton, FL. Louis has been a programmer for over 30 years. Services his company offer include website, database, and email, and Cloud hosting through AppliedI.net; custom website development; email broadcasting, custom text messaging services, SEO/SEM, direct mail, list services and other multi-channel marketing programs. The custom programming division specializes in website and desktop applications using Microsoft .Net development tools such as Visual Studio. Louis is most known for the being instrumental in developing and launching City Furniture’s Same Day Delivery Program. His company focuses on merging separate stand alone applications such as Quickbooks, Microsoft Office, and Customer Relationship Management Systems. “We don’t reinvent your business applications; we make your business applications better”.