Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are the some best ways to secure expressionengine?

The official docs only go as far to say put system above root and rename admin.php to something obscure - which is not security so much as it is inconveniencing bots that would otherwise simply try to hit domain.com/admin.php repeatedly, for example. I commonly hear (today on Twitter being an example) questions about what else one can do to secure expressionengine. Not being terribly knowledgable in this area myself, and so for my benefit and others, are there some #eecms security gurus out there that could share some of the essentials that everyone should consider doing?

like image 380
Jean St-Amand Avatar asked Nov 05 '12 18:11

Jean St-Amand


4 Answers

You should also checkout Eric Lamb's Securitee ( http://devot-ee.com/add-ons/securitee ) add-on as a good next step in securing EE. It does a plethora of security checks to make sure that your system is as secure as possible through out the life of your site as security is not something that is set and forgot. From my experience harm doesn't usually come from hackers/bots but from people with to much access to the system. This also includes members that are granted temporary access but their access is never revoked, I know that in systems that I am added after development has been completed there are usually 2-3 super admins created for add-on developers to sort out a problem during development. While I am not saying that the add-on developers are going to wreck havoc on your site it is just another possible security hole that needs to be addressed.

Mark's booklet is a great read as is Eric Lamb's blog post about Securitee http://mithra62.com/blog/view/why-you-should-care-about-securitee

like image 70
Justin Long Avatar answered Oct 19 '22 02:10

Justin Long


Mark Huot has written a small booklet on securing expressionengine, you can get it here http://mijingo.com/products/ebooklets/securing-expressionengine-2/

Recommended read.

like image 43
erwinheiser Avatar answered Oct 19 '22 01:10

erwinheiser


The base install is quite secure. Renaming the system folder and/or admin.php takes away the first nail they could be hammering. Special attention should be given to add-ons that might have some security holes.

Limit access to the control panel for head-editors only and tighten down access to only parts they should have access to. If the generic users need to post articles, that can be done with the safecracker add-on, but in its current state could really do with a security checkup.

like image 41
GDmac Avatar answered Oct 19 '22 01:10

GDmac


If you have a lynda.com account, check out "Wordpress 3: Developing Secure Sites". I know, I know, WTF Wordpress?!, right? But the topics he covers are relevant to any DB-based CMS and he covers a really wide range of recommendations. Just swap "plugins" with "add-ons" and it's all pretty familiar territory.

like image 29
kmgdev Avatar answered Oct 19 '22 00:10

kmgdev