Tim Dietrich

Custom Software Developer

Home Services Portfolio Blog About Contact Newsletter

FileMaker WebDirect: Security And Scalability

Enabling the Guest account on a FileMaker database can be very dangerous. We've known that for years.

In the past, that danger was lessened to some degree because FileMaker Server wasn't a big target for hackers. They had to either know the address of a server, or run portscans over IP address blocks to identify one.

However, with WebDirect, FileMaker Servers are much easier to locate. Google has been indexing WebDirect homepages for awhile now. To see the WebDirect home pages that Google has indexed, search for WebDirect's URL pattern: /fmi/webd/

Other Issues

Some developers use WebDirect to serve up public-facing sites and forms. While it's tempting to do so, it can cause other problems as well.

Remember that all WebDirect users - including those connecting as guests - are consuming concurrent connections. The server might hit the maximum number of connections, especially if a WebDirect solution starts getting a lot traffic.

Solutions & Alternatives

If possible, protect your server with a VPN. Also think long and hard before enabling the guest account - especially when using WebDirect.

If you're using WebDirect to serve up a Web site (for example, to publish product information), then consider a Custom Web Publishing (CWP) solution instead. With CWP, FileMaker Server can theoretically handle up to 2,000 users simultaneously. And depending on your needs, you might be able to get a CWP solution setup quickly and easily using something like FMEasyWeb.

If you're using WebDirect to capture information via a Web form, consider using another solution entirely. For example, you can use WuFoo and fmfoo to serve up a nice looking form and automatically save submissions to a database, without ever exposing the actual database server.