How to secure your ExpressionEngine website
Article Number: 1519 | Rating: Unrated | Last Updated: Mon, Jan 14, 2019 at 2:16 PM
How to secure your ExpressionEngine site
Secure the permissions of your site
Limiting the file permissions can improve the security of ExpressionEngine. However, this process can be tricky as file permissions depend on your hosting environment and the access needed by certain plugins. Generally, you want to restrict access to all non-owners. In practice, this usually means everyone other than yourself. Refer to How to configure ExpressionEngine permissions and ownership for more information.
Change the administrator login web address
Obscuring the path to the ExpressionEngine administrator panel can help prevent intrusions. Easily guessed administrator login pages are much more likely to fall under brute force attempts to gain access. Changing the ExpressionEngine administrator web address or URL hides the login page to thwart unwanted access attempts. To do so, rename the admin.php file to one of your choosing, then edit the the line shown below in the system/expressionengine/config/config.php file to reflect the new name of the admin.php file.
$config[‘cp_url’] = “http://domain.tld/newname.php
Manage access points
You can access your site through SSH, FTP, or the SiteWorx control panel, and the choice depends on your objective. Each of these protocols should have different passwords and should follow your password policy. Always use secure methods of accessing your site and moving or modifying the content of the site. Finally, connection methods like SSH, SFTP, or SCP offer relatively easy ways to provide an additional layer of security.
Deploy changes responsibly
The installation of extensions, themes, and other applications can create vulnerabilities. The best way to minimize this threat is to first implement all new changes in a development environment. Frequently referred to as a “dev site,” this environment is an exact copy of your live site, but changes made to it do not affect your actual website. We also recommend you backup both the site files and the database before making any changes, as these form the final line of defense against security breaches and data corruption.
Implement your own password policy
A password policy states requirements for passwords.
We recommend the following conventions when adopting a strong password policy:
Change or move the system folder
Obscuring the path of the ExpressionEngine system folder can help prevent intrusions. The system folder is the core of your ExpressionEngine install and contains sensitive information. To change the name of the system folder, edit the line below in both the index.php file and admin.php file.
$system_path = ‘.newsecurename’;
Once this line is edited in both files, rename the system folder to reflect the new name.
Moving the system folder outside of the webroot can also improve security. To move the system folder, edit the line below in both the index.php file and admin.php file, then move the directory to the specified location:
$system_path = ‘../system’;
The above example moves the system folder up one directory.
Add CAPTCHAs to forms
CAPTCHAs offer additional validation for forms to prevent aggressive spamming. Before users may submit a form, they must read and enter a generated code for each post. Most newer versions of ExpressionEngine include the CAPTCHA feature and require minimal effort to implement. CAPTCHAs can be implemented on comment forms, member registration forms, and contact or tell-a-friend forms. For more information on implementing CAPTCHAs, refer to the EllisLab website.
There are no attachments for this article.
How to use the Nexcess Secure Password Generator
Added on Tue, Jan 15, 2019
How to view shared secure data in your Client Portal
Added on Wed, Dec 5, 2018
How to protect your Magento store from the Credit Card Hijack exploit
Added on Tue, Jan 29, 2019
How to install OpenVPN
Added on Wed, Dec 26, 2018
How to view your Account ID and PIN
Added on Thu, Jan 24, 2019
What is ExpressionEngine?
Added on Wed, Sep 11, 2013
How to enable SSH access
Added on Mon, Dec 17, 2018
How to create SSH keys in macOS and Linux
Added on Mon, Jun 11, 2018
How to create a secure password
Added on Wed, Dec 26, 2018
How to send secure data to Nexcess support
Added on Tue, Aug 20, 2019