Even though FileMaker 16 is the current version, MainSpring has supported clients with WebDirect servers since it was released in version 13, and FileMaker server 14 will be supported until September 2018. Because of this, it’s important for us to call attention to the recent security risk that was identified on FileMaker servers 13 and 14.
WebDirect security risk discovered
Recently, we discovered that due to a lack of a robots.txt file in the WebDirect installation on FileMaker server 13 and 14, the URL of your WebDirect server can be indexed by search engines such as Google, Bing and Yahoo. This could unintentionally grant remote users the ability to visit your WebDirect homepage, and potentially gain access to files in an unexpected way.
A robots.txt file is a simple text file that asks any “search bot” that’s crawling a page or archiving information to follow a specific set of rules. While the robots.txt can be ignored by malicious bots, most modern search engines will respect those rules. In FileMaker Server 15+, the server configuration already contains the rules for turning off indexing by default, but you can still install the robots.txt file if you want.
How to install the WebDirect security patch
So, how do you add this patch? Simply create a robots.txt file in the following directory:
- Mac: HDD/Library/FileMaker Server/HTTPServer/conf/
- PC: C:/Program Files/FileMaker/FileMaker Server/HTTPServer/conf/
Inside of your robots.txt file, input the following code:
- User-agent: *
- Disallow: /
Now, save, and you’re finished! This would be a good time to install any updates, and restart your server, as well. Also, it’s important to note that, if your server address was already indexed on a search engine, it may take a few weeks for the bots to revisit your page and refresh their directory.
Additional ways to secure your WebDirect server
So, here are some other steps you may want to do in order to secure your server…
- Disable guest access for all files, or at least perform a security check to make sure the guest account has severely limited access
- Enable the server setting “Show only files for which each user has access to”. This will require a user to provide their username and password in order to view the WebDirect homepage.
- Make sure to check that none of your files are hosted with the default “admin” account with no password. If so, we recommend setting a strong password and changing the account name from admin to something else.
- Install an SSL certificate if you do not have one already