Just wondering ...

Is there a security advantage in using a multiple domain set-up EE where the main EE install is placed in some nonsensical domain (or subdomain) .. [eg. i3j6b.com] with the .htaccess (“deny from all .. allow allmydomains.com”) modified so that ONLY my other domain(s) can have access to it.

I can’t remember whose site, but there were a couple of “under development” sites I have seen from people here who have links to a “You Have been Hacked” page ..

I’ve actually been using an .htaccess protected subdomain which holds all of my images and css files and I’ve gotten a whole lot of 403’s and 500’s in the stats from some very funny looking domains  

There were also a lot of people looking for my “system” directory, but I have a system directory with .htaccess protection .. the real system directory is called something like “b5j4o7i7e7”

Obfuscating directories and subdomains does add some additional level of security - but it all depends on the weakest part of the chain. If, for example, the generated image, download and CSS paths reveal an obfuscated directory, it will be worthless. So, it all depends on (1) your setup, (2) your definition of “security” and (3) the enemies and risks you try to defeat. Obfuscation helps best against humans, even well against dictionary attacks, but not against brute force attacks.

That said, I’d like to add that I’d doubt that EE was the prime reason for any defacements - as far as I remember, only one major security problem was discovered in EE since the first release ... and that one was based on a common library and hit other CMS as well. Most “hacks” I know of happened due to problems in the server configuration or were based on other software packages installed that had security flaws. But maybe the EE staff will comment on that.

Of course, maintaining the EE installation, other software that is installed and the server configuration is the major task regarding security.

tulkul - 29 April 2007 03:29 PM

Just wondering ...

Is there a security advantage in using a multiple domain set-up EE where the main EE install is placed in some nonsensical domain (or subdomain) .. [eg. i3j6b.com] with the .htaccess (“deny from all .. allow allmydomains.com”) modified so that ONLY my other domain(s) can have access to it.

In a word, “not much.” Wait. That’s two words, so it’s twice the security. Every little bit helps, though running EE from an ultra obscure domain or subdomain probably won’t make much difference in most security issues. EE itself is quite secure from outside intrusion, so you’re more likely to have a problem from the server side.

I can’t remember whose site, but there were a couple of “under development” sites I have seen from people here who have links to a “You Have been Hacked” page ..

I’ve actually been using an .htaccess protected subdomain which holds all of my images and css files and I’ve gotten a whole lot of 403’s and 500’s in the stats from some very funny looking domains  

There were also a lot of people looking for my “system” directory, but I have a system directory with .htaccess protection .. the real system directory is called something like “b5j4o7i7e7”

Renaming the /system directory provides about as much security as you can get without going totally paranoid. Of course, if everyone is out to get you, then paranoia is the right attitude.

Again, most hacks will come from the server side so make sure permissions are what they should be on the EE files.