Help Desk Software

HESK Security check list

This page intends to provide basic security tips for HESK administrators. In other words - how to make HESK more secure and less prone to attacks?


#1 Keep HESK updated

As with any software, HESK evolves and receives regular bug and security updates along with feature improvements. Make sure you always use the latest stable version of HESK.

See what patches and upgrades are available for your HESK:

  1. login to HESK admin panel
  2. go to Settings page
  3. click the Check for updates link
  4. review and install available patches and/or upgrades

To be notified of new HESK versions you should:

  1. follow HESK on Twitter here (fast update notifications)
  2. subscribe to the HESK Newsletter here (less frequent notifications)


#2 Use unique usernames and passwords

Do not use default and common usernames such as Administrator, Admin, Webmaster etc... These are easy to guess.

Never use the same password for multiple services. Using for example your email password for HESK is a very bad idea. Use long, unique passwords with a combination of lowercase letters, uppercase letters, digits and symbols.

You can change usernames and passwords on the HESK Users and Profile page.


#3 Use a dedicated database for HESK

Do not use the same MySQL database for all your scripts. If you do, a single vulnerable script could read and modify all your important data.

Always install HESK in a separate MySQL database and use a dedicated database user for HESK.

Do not give other MySQL users access to the HESK database and do not give HESK database user access to other databases.


#4 Rename /admin and /attachments folders and hide admin link

HESK allows you to rename your sensitive folders, so do it:

  1. rename folder admin to a hard-to-guess name
  2. rename folder attachments to a hard-to-guess name
  3. login to HESK admin panel
  4. go to Settings page
  5. on the Help Desk tab enter new names for the Admin folder and Attachments folder settings.
  6. on the Misc tab uncheck the Admin link option to now show a link to your admin panel on the HESK homepage
  7. save settings

Note 1: you may need to go back to Settings page and enable Use attachments setting again after these changes!

Note 2: an even further step would be to password-protect your sensitive folders, for example using htaccess on Linux servers.


#5 Restrict allowed attachment size and types

If you expect your customers to upload images there is no need to allow uploading of .exe files.

Be conservative about what file attachments you allow:

  1. login to HESK admin panel
  2. go to Settings page
  3. on the Help Desk tab under Attachments set your attachment limits
  4. save settings


#6 Debug mode should be OFF

Unless you are actively troubleshooting your HESK installation, debug mode should be OFF!

  1. login to HESK admin panel
  2. go to Settings page
  3. on the Help Desk tab make sure Debug mode is set to OFF
  4. save settings


#7 SPAM protection should be ON

Is your entire help desk hosted on intranet or password-protected? If not, enable SPAM protection!

  1. login to HESK admin panel
  2. go to Settings page
  3. on the Help Desk tab enable at least one form of SPAM Prevention
  4. save settings

No need to overdo it though. Unless you have serious SPAM problems, enabling just one SPAM prevention measure will make the help desk more user-friendly.


#8 Email piping and POP3/IMAP fetching considerations

Are you using email piping or POP3/IMAP fetching?

If no, make sure these two features are turned OFF in HESK Settings!

If yes, rename files inc/mail/hesk_imap.php, inc/mail/hesk_pipe.php and inc/mail/hesk_pop3.php to hard-to-guess names.


#9 Not everyone should be an administrator

Does Mary really need access to HESK settings? Does Joe really need permission to create new ticket categories?

Instead of creating administrator accounts, give users restricted access:

  1. login to HESK admin
  2. go to Users page
  3. when creating a new or editing existing user click the Permissions tab
  4. select Account type: Staff and only give the user permissions he/she needs
  5. save changes


#10 Disable features you are not using

This one is simple: if you don't use something, disable it! What's the point of having Knowledgebase functionality enabled, if you have no Knowledgebase articles?

Here are some features that can be disabled. Click the [?] help link next to them on the HESK Settings page to learn what each does:

  • Multiple languages
  • Allow automatic login
  • Debug mode
  • Password reset
  • Attachments
  • Knowledgebase
  • Email piping
  • POP3 fetching
  • IMAP fetching
  • Multiple emails


#11 Using a shared computer? Automatic login should be OFF

The automatic login function is convenient as it allows HESK to remember your login so you don't have to enter your username and password every time you open HESK admin panel.

However, anyone using the same computer may also gain access to the help desk using your username!

If you access HESK from a shared computer the Allow automatic login function should be OFF or at least remember to Logout after finishing your work!


#12 Buy a HESK license

Seriously. A license will remove "Powered by" links from your help desk making it harder for a random visitor to determine what software you are using. Anyone trying to exploit a known software vulnerability will also have a harder time finding your help desk using search engines.

More importantly, by purchasing a license you support the HESK author. This means more features and quick bug fixes in the future.

A one-time fee only. Buy a HESK license here.



Comments? Suggestions? Let us know!

Comments and ideas about securing HESK are always welcome.

Please feel free to contact us with your suggestions here.




Help Desk Software