Website Security

I am new here and I am the owner/admin/webmaster of Havoc Arcade (you can Google/YAHOO/Bing it to see url)- Evidently I cannot post a url

There are three parts to my site- Gaming/Videos/Movies (main site), a Forums/downloads section, and a (/xfs) File Hosting/Sharing section (which is currently restricted to authorized users)




I painstakingly hardened my site against unauthorized access using .htaccess Options all Indexes directives, Options -ExecCGI, etc

I also use password hashes that are double salted (salt and pepper) SHA1.
salts are alphpa-numeric, sysmbol, spacing, upper/lower case and completely random in excess of 20 char.

All the scripting has been hardened, and imputable data fields have been santized before it hits the database. Even though I know it can never be 100% I feel pretty confident, that I am not vulnerable to SQLi, XSS, RFI, other injections, as well as unauthorized file/directory access.
Even if the Admin account could be "brute Forced" and/or otherwise comprimised, they cant gain admin or file manager acccess (have priviledges the same as any other user), without going through a second authorization that is even longer and more random...

Can I get some feedback on my site's security?

Thanks!

Sounds like you have done many of the right things. Can I ask you a few basic things, it sounds like you may be using some sort of server based scripting language such as PHP? and since you mentioned SQL, maybe something like MySQL. So if that is the case your site has dynamically generated content, and possibly logins for your users since you mentioned password hashes.

If I am right on all of the above, did you custom write everything? or are you using any particular backend software to help run your website?

When I visited your website I do notice everything is ending in .html, which could mean they are static pages, but more likely you are just using Apache Mod Rewrite and everything is dynamically generated using PHP and MySQL? Am I correct here?

Also I visited your forum, and do to the way the URLs are there I am guessing you are using phpBB. Correct?

My forum is modified phpbb, my main site is php with mod_rewrite that I rewrote myself, and with the assistance of others. /xfs is pretty much a unmodified file sharing script that I use for my uploads/downloads in my forum, but that also doubles as a means to import large files to the server itself. (i never use FTP).

I could be wrong, but I doubt that anyone can break my site, but it can never hurt to get a second opinion.

Looks nice site, by far, I know phpBB is vulnerable to other board system, being error-free, and already contiguous URL fixed to access admin cPanel and other areas, really make me feel that site could be hacked.

Yes well, there are many phpbb "known" vulnerabilities- feel free to test them. Most if not all "exploits" will fail as the primary CMS isnt phpbb, and I do not run an integration bridge between the two. The phpbb runs as an independent subdirectory only, with no tie in to the main CMS. I can guarantee you that my passwords for admin management cannot be "brute forced".

To break the site you will need to break the main content management system- this is fully hardened, and exploiting it cannot be done by the average skid. Also, Admin access requires two levels of authentication- both not vulnerable to brute forcing, and both very different and random exceeding 20 char.

If you think the site can be hacked, then show me.

ps- the main CMS is not WP (I can see by the logs that many assume it is, but it isnt. All WP-based exploits will be inefective.)

You are most likely in good shape then, sounds like you have done many things to harden your website, good job