by Mark Huot
Last month EE Insider asked the readers “What do you rename your system folder to?” The responses ranged from common dictionary words to random strings and everything in between. The responders are obviously concerned about security and doing what they can to ensure malicious users or bots cannot attack their Control Panel. Let’s take a look at a simple way to secure your ExpressionEngine 2 (EE2) installation.
The System Folder
In the root
index.php file there’s a line near the top that tells EE2 exactly where to look for the system folder. This is your first line of defense against malicious attacks. Security through obscurity it’s sometimes called but it works surprisingly well.
$system_folder = 'system';
This isn’t iron clad security but it sure is better than an easily guessable
/system folder. Now, let’s make it better.
It is not obvious from the variable name or the default value, but the
$system_folder variable isn’t just looking for a directory name. It can take an entire server path to your system folder. We’re not limited to just
system there, we could write
private/system and nest our control panel within an
private directory. We could also go the other way and pull our system folder up a level outside the web root like so:
$system_folder = '../sys';
On a typical Apache install, where your index.php file is located at
/var/www/vhosts/example.com/httpdocs/ the preceding
system_folder call to
../sys would tell EE to look to
/var/www/vhosts/example.com/system/ for system files. This is immesaurably more secure than just renaming your system folder because you’ve moved all your private info outside of the web realm. No longer can attackers guess your system name and navigate right to your
An increasingly common attack is to search for Subversion’s
.svn directories within your web root and infer an application’s directory structure from the
entries file (this is done by navigating to
http://www.example.com/.svn/entries). If these aren’t protected by
.htaccess you’re giving attackers a full view into your system folder name, the extensions you have installed and even, potentially your template structure.
Simply by asking Subversion for your directory structure, attackers could find and exploit all those templates you thought no one could see and you didn’t need to put a password on, or all those half baked extensions that may or may not be 100% finished. Moving your system folder out of the web realm protects this and gives attackers (potential) access to only the files you deem web safe.
My Secure Setup
Now that we’ve explored what EE2 can do, let’s look at a typical secure setup. Here are the paths I use for various parts of my EE2 installation:
Let’s take a look at each one individually.
I’ve chosen to keep everything inside of the traditional
httpdocs directory and rewrite my Apache
DOCUMENT_ROOT via a virtual host. In this instance I’ve rewritten it to
/var/www/vhosts/example.com/httpdocs/pub. Primarly this helps future developers find everything in the “expected” location of
httpdocs. Secondly, there are many backup solutions, including some fairly popular Plesk solutions that only backup the
httpdocs directory so keeping everything inside ensures compatability with a wider array of software.
This method also play nice with a shared hosting environment like Dreamhost where your domain would live at
sys is my renamed
system folder to keep my anal retentive tendencies in check and ensure each folder is three characters. This is the path I place in the
$system variable in
index.php file in EE2.
tpl is simply the templates folder broken out to make it easier to access without drilling down through
system subfolders. I can place this in the site’s
config.php file to let EE2 know where the templates are located.
lib contains any 3rd party scripts in use on the site such as phpThumb or ReCaptcha.
Put all of this together and you have a simple and secure way to run on your EE2 website.