Published by Mijingo

movie icon image

ExpressionEngine How-to Articles

Topics range from beginner to advanced, but are all born out of real world, professional, day-to-day use of ExpressionEngine. Need more information? Get training videos and ebooks on ExpressionEngine from Mijingo.

Securing ExpressionEngine 2

Last month EE Insider asked the readers “What do you rename your system folder to?” The responses ranged from common dictionary words to random strings and everything in between. The responders are obviously concerned about security and doing what they can to ensure malicious users or bots cannot attack their Control Panel. Let’s take a look at a simple way to secure your ExpressionEngine 2 (EE2) installation.

The System Folder

In the root index.php file there’s a line near the top that tells EE2 exactly where to look for the system folder. This is your first line of defense against malicious attacks. Security through obscurity it’s sometimes called but it works surprisingly well.

$system_folder 'system'

This isn’t iron clad security but it sure is better than an easily guessable /system folder. Now, let’s make it better.

It is not obvious from the variable name or the default value, but the $system_folder variable isn’t just looking for a directory name. It can take an entire server path to your system folder. We’re not limited to just system there, we could write private/system and nest our control panel within an .htaccess protected private directory. We could also go the other way and pull our system folder up a level outside the web root like so:

$system_folder '../sys'

On a typical Apache install, where your index.php file is located at /var/www/vhosts/ the preceding system_folder call to ../sys would tell EE to look to /var/www/vhosts/ for system files. This is immesaurably more secure than just renaming your system folder because you’ve moved all your private info outside of the web realm. No longer can attackers guess your system name and navigate right to your system/expressionengine/config/config.php file.

An increasingly common attack is to search for Subversion’s .svn directories within your web root and infer an application’s directory structure from the entries file (this is done by navigating to If these aren’t protected by .htaccess you’re giving attackers a full view into your system folder name, the extensions you have installed and even, potentially your template structure.

Simply by asking Subversion for your directory structure, attackers could find and exploit all those templates you thought no one could see and you didn’t need to put a password on, or all those half baked extensions that may or may not be 100% finished. Moving your system folder out of the web realm protects this and gives attackers (potential) access to only the files you deem web safe.

My Secure Setup

Now that we’ve explored what EE2 can do, let’s look at a typical secure setup. Here are the paths I use for various parts of my EE2 installation:


Let’s take a look at each one individually.


I’ve chosen to keep everything inside of the traditional httpdocs directory and rewrite my Apache DOCUMENT_ROOT via a virtual host. In this instance I’ve rewritten it to /var/www/vhosts/ Primarly this helps future developers find everything in the “expected” location of httpdocs. Secondly, there are many backup solutions, including some fairly popular Plesk solutions that only backup the httpdocs directory so keeping everything inside ensures compatability with a wider array of software.

This method also play nice with a shared hosting environment like Dreamhost where your domain would live at ~/


sys is my renamed system folder to keep my anal retentive tendencies in check and ensure each folder is three characters. This is the path I place in the $system variable in index.php file in EE2.


tpl is simply the templates folder broken out to make it easier to access without drilling down through system subfolders. I can place this in the site’s config.php file to let EE2 know where the templates are located.


lib contains any 3rd party scripts in use on the site such as phpThumb or ReCaptcha.

Put all of this together and you have a simple and secure way to run on your EE2 website.

Posted on May 11, 2010

Filed Under: How-To, Security, ExpressionEngine Development,

Mark Huot
About Mark Huot

Mark Huot is the Technology & Development Director at Happy Cog and develops content management systems ranging in size from personal blogging tools to enterprise-scale e-commerce systems. Adhering to web standards throughout his development process, Mark creates intuitive systems that demonstrate the same kind of care and forethought present in Happy Cog