Contact
Site: US UK AU |

How to secure your ExpressionEngine website

How to secure your ExpressionEngine site

Overview
The article shows how to improve the security of your ExpressionEngine website.

Secure the permissions of your site

Limiting the file permissions can improve the security of ExpressionEngine. However, this process can be tricky as file permissions depend on your hosting environment and the access needed by certain plugins. Generally, you want to restrict access to all non-owners. In practice, this usually means everyone other than yourself. Refer to How to configure ExpressionEngine permissions and ownership for more information.

Change the administrator login web address

Obscuring the path to the ExpressionEngine administrator panel can help prevent intrusions. Easily guessed administrator login pages are much more likely to fall under brute force attempts to gain access. Changing the ExpressionEngine administrator web address or URL hides the login page to thwart unwanted access attempts. To do so, rename the admin.php file to one of your choosing, then edit the the line shown below in the system/expressionengine/config/config.php file to reflect the new name of the admin.php file.

$config[‘cp_url’] = “http://domain.tld/newname.php

Manage access points

You can access your site through SSH, FTP, or the SiteWorx control panel, and the choice depends on your objective. Each of these protocols should have different passwords and should follow your password policy. Always use secure methods of accessing your site and moving or modifying the content of the site. Finally, connection methods like SSH, SFTP, or SCP offer relatively easy ways to provide an additional layer of security.

Deploy changes responsibly

The installation of extensions, themes, and other applications can create vulnerabilities. The best way to minimize this threat is to first implement all new changes in a development environment. Frequently referred to as a “dev site,” this environment is an exact copy of your live site, but changes made to it do not affect your actual website. We also recommend you backup both the site files and the database before making any changes, as these form the final line of defense against security breaches and data corruption.

Implement your own password policy

A password policy states requirements for passwords.

We recommend the following conventions when adopting a strong password policy:

  • Do not use a password that is not easily guessed or decoded.

  • Establish complexity requirements.

  • Change the password regularly.

  • Do not recycle passwords.

Consider using the Nexcess Secure Password Generator to help generate a secure custom password. For assistance with using this, refer to How to generate a secure password.

Change or move the system folder

Obscuring the path of the ExpressionEngine system folder can help prevent intrusions. The system folder is the core of your ExpressionEngine install and contains sensitive information. To change the name of the system folder, edit the line below in both the index.php file and admin.php file.

$system_path = ‘.newsecurename’;

Once this line is edited in both files, rename the system folder to reflect the new name.

Moving the system folder outside of the webroot can also improve security. To move the system folder, edit the line below in both the index.php file and admin.php file, then move the directory to the specified location:

$system_path = ‘../system’;

The above example moves the system folder up one directory.

Add CAPTCHAs to forms

CAPTCHAs offer additional validation to forms to prevent aggressive spamming. Before users may submit a form, they must read and enter a generated code for each post. Most newer versions of ExpressionEngine include the CAPTCHA feature and require minimal effort to implement. CAPTCHAs can be implemented on comment forms, member registration forms, and contact or tell-a-friend forms. For more information on implementing CAPTCHAs, refer to the EllisLab website.


For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Article Rating (1 Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
 
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
How to use SiteWorx to install ExpressionEngine
Added on Tue, Feb 18, 2014
How to configure ExpressionEngine permissions and ownership
Added on Tue, Nov 11, 2014
How to install the Nexcess CDN with ExpressionEngine
Added on Tue, Sep 10, 2013
What is ExpressionEngine?
Added on Wed, Sep 11, 2013
How to purchase Nexcess shared hosting plans
Added on Mon, Jan 4, 2016