PHP Bootstrap and security

I have a site which has been constructed using Bootstrap. The site has no searchbox and no database and yet has been hacked. Are there any security issues with Bootstrap that I should look at and if so solutions that people could advise me to adopt? Thanks in advance.

Bootstrap isn’t going to be your problem here - it has nothing to do with PHP, or server side code, it’s just HTML and CSS, with a little JavaScript. It’s a front-end framework. Is there any PHP behind it? Have you looked at the security for the server or host you’re using?

Sounds like the server has been breached.

1 Like

Thank you for your replies. My first thought was that the server had been breached although this is on a shared server and no other sites have been affected. I have changed all the FTP and control panel logins, deleted an ASP file that appeared and re-instated clean code. It was suggested that Bootstrap js files could be exploited but I don’t understand how this could be or how to prevent it.

JS files are only executed on the client side, i.e. in the browser. So, it is not the case.

Do you have any server side programming like PHP files? If so - most likely it’s sort of file injection, include of unsanitized file name taken from the user input.

The website is written in PHP. The only user input on the website is a contact form.

As I said above, most likely it’s file injection, which is done via GET request parameters and which is a user input, even if you don’t think it is.

Or any other kind of tampering on input data.

I don’t have any GET requests on the site, and have only used POST in the contact form. Unless of course there is something I am missing.

POST is user input, so is also prone to injection.

Do you have any urls with a quesry string, such as www.domain.com?thing=something

No query strings either.

What’s the use of php then? Just static header/footer include only?

Mainly yes, a few includes. It’s a very simple site.

Then the only idea I’ve got is ftp passwords stolen from the developer’s PC by a trojan

Do you allow attachments to be sent via the Contact form?

I’ve deleted the FTP accounts and set up a new one with a secure password just in case.

Nope, no attachments and the input is cleaned.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.