We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

How should I secure my EE site? Need some advice.

March 29, 2011 5:58pm

Subscribe [1]

  • #1 / Mar 29, 2011 5:58pm

    bgarrant

    356 posts

    Most sites I build follow the advanced steps to move system files above the web root.  I also rename system folder and rename/move the CP Access file to a new location (masked).

    http://ellislab.com/expressionengine/user-guide/installation/installation.html 

    I am working with a hosting company now that will not allow me to move the system folder above the web root.  I just built a site using EE 2.1.3.  I renamed the system folder and renamed/moved the CP Access file to a new location (masked).  What else can I do to secure this site since I can’t get teh system files above web root?  They also won’t let me remove the index.php file with URL Rewrite module but that is a whole other issue.  Any way to do this without that module on a Windows 2008 server?

    What else should I do to secure the site, short of changing hosting companies which is not an option as the customer had them in place first and the hosting company hired me to do the project?  Anything else I can do from my side?  Should I even need to worry if I have the other steps in place?

  • #2 / Mar 30, 2011 1:10am

    bgarrant

    356 posts

    Anyone have any advice?

  • #3 / Mar 30, 2011 12:51pm

    bgarrant

    356 posts

    Can anyone give me some advice?  Should I move this to another forum?

  • #4 / Mar 30, 2011 1:13pm

    Lisa Wess

    20502 posts

    Have you seen Securing ExpressionEngine 2 by Mark Huot?  That would be a good place for you to start. =)

  • #5 / Mar 31, 2011 10:55am

    bgarrant

    356 posts

    I have the guide and have used all steps other than moving system files above the root as this host will not allow it.  I have renamed my system folder, but is there anything else I can do to protect the files and the critical config files?  Do I have to worry with the system files in the web root or do many people set it up this way?

  • #6 / Mar 31, 2011 11:10am

    bgarrant

    356 posts

    If I can’t move the system files above the web root, what is best I can do to secure my EE system?

  • #7 / Mar 31, 2011 11:33am

    Lisa Wess

    20502 posts

    Many people run EE that way, and most people on EE 1 did since we didn’t have published instructions (or an easy way) to handle putting those files above web-root.  As long as you’ve renamed the system older (security through obscurity) that’s about the best that you can do to secure EE and still use all of its features.

  • #8 / Mar 31, 2011 11:35am

    bgarrant

    356 posts

    The host did say they could remove HTTP access to a folder for me?  Would this work in same way or should I just move my config.php and have them do it on that file?

    I think they remove Anonymous Access or remove Read Access or something in IIS.

  • #9 / Mar 31, 2011 11:39am

    bgarrant

    356 posts

    I will also rename the system folder to some odd name like 11sh!99s%js^he!_system or something.  Can I use symbols I assume?

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register