We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Protect "system" folder with "Deny from all"

September 21, 2011 4:09pm

Subscribe [3]

  • #1 / Sep 21, 2011 4:09pm

    cliffdangler

    7 posts

    Hi,

    I need to place my “system” folder in the web root (publicly accessible).

    Is it hack-proof to simply place a .htaccess file in the root of the “system” folder with the “Deny from all” directive?

    My understanding is that all subfolders are also protected.

    I do understand that placing “system” above the webroot is most ideal, plus renaming the folder, but what if it has to be in the webroot?

    Thanks

    PS. Why haven’t EE placed this file by default, for extra added security, as the index.html and index.php would only “protect” the current folder that these files are in?

  • #2 / Sep 22, 2011 2:58am

    John Henry Donovan

    12339 posts

    cliffdangler,

    Is it hack-proof to simply place a .htaccess file in the root of the “system” folder with the “Deny from all” directive?

    All the folders inside the system folder have index.html files to make the directory unbrowsable

    Until recent version the recommended way to access the control panel would have been through the system folder. You can actually still reach the control panel this way.

    What type of hacking were you trying to protect against?

    Making the system folder an unguessable name would be the way to go here if you cannot place it below the root.

    Almost all hacks I have seen haven’t been with EE itself but from another account or script on the server that has found its way into an install of EE.

    There is a nice eBook available here on securing ExpressionEngine . It goes into more detail than just the install itself but what expains options in control panel also

  • #3 / Sep 22, 2011 3:24am

    cliffdangler

    7 posts

    Hi John,

    Thanks for the reply. So it seems you are saying that it’s unnecessary to place the described .htaccess file into the root of “system”, and that changing the “system” folder name to something unguessable would suffice?

    I’m just worried about general exploits, as all the core files and configs are in the publicly accessible webroot.

    Will check out the link.

    Thanks

  • #4 / Sep 22, 2011 5:32pm

    Kevin Smith

    4784 posts

    Hi cliffdangler,

    Placing that directive in an .htaccess file in the system folder could have some strange unintended consequences, so I wouldn’t recommend that. In general, best practices for securing ExpressionEngine can be found here, and I wouldn’t worry about direct script access because all the files in the system folder begin with

    if ( ! defined('EXT'))
{
    exit('Invalid file request');
}

    which keeps out any request that didn’t originate from the site’s index.php file.

    Does that help?

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register