Securing ExpressionEngine 2
by Mark Huot
Last month EE Insider asked the readers “What do you rename your system folder to?” The responses ranged from common dictionary words to random strings and everything in between. The responders are obviously concerned about security and doing what they can to ensure malicious users or bots cannot attack their Control Panel. Let’s take a look at a simple way to secure your ExpressionEngine 2 (EE2) installation.
The System Folder
In the root index.php file there’s a line near the top that tells EE2 exactly where to look for the system folder. This is your first line of defense against malicious attacks. Security through obscurity it’s sometimes called but it works surprisingly well.
$system_folder = 'system';
This isn’t iron clad security but it sure is better than an easily guessable /system folder. Now, let’s make it better.
It is not obvious from the variable name or the default value, but the $system_folder variable isn’t just looking for a directory name. It can take an entire server path to your system folder. We’re not limited to just system there, we could write private/system and nest our control panel within an .htaccess protected private directory. We could also go the other way and pull our system folder up a level outside the web root like so:
$system_folder = '../sys';
On a typical Apache install, where your index.php file is located at /var/www/vhosts/example.com/httpdocs/ the preceding system_folder call to ../sys would tell EE to look to /var/www/vhosts/example.com/system/ for system files. This is immesaurably more secure than just renaming your system folder because you’ve moved all your private info outside of the web realm. No longer can attackers guess your system name and navigate right to your system/expressionengine/config/config.php file.
An increasingly common attack is to search for Subversion’s .svn directories within your web root and infer an application’s directory structure from the entries file (this is done by navigating to http://www.example.com/.svn/entries). If these aren’t protected by .htaccess you’re giving attackers a full view into your system folder name, the extensions you have installed and even, potentially your template structure.
Simply by asking Subversion for your directory structure, attackers could find and exploit all those templates you thought no one could see and you didn’t need to put a password on, or all those half baked extensions that may or may not be 100% finished. Moving your system folder out of the web realm protects this and gives attackers (potential) access to only the files you deem web safe.
My Secure Setup
Now that we’ve explored what EE2 can do, let’s look at a typical secure setup. Here are the paths I use for various parts of my EE2 installation:
/var/www/vhosts/example.com/httpdocs/pub
/var/www/vhosts/example.com/httpdocs/sys
/var/www/vhosts/example.com/httpdocs/tpl
/var/www/vhosts/example.com/httpdocs/lib
Let’s take a look at each one individually.
/var/www/vhosts/example.com/httpdocs/pub
I’ve chosen to keep everything inside of the traditional httpdocs directory and rewrite my Apache DOCUMENT_ROOT via a virtual host. In this instance I’ve rewritten it to /var/www/vhosts/example.com/httpdocs/pub. Primarly this helps future developers find everything in the “expected” location of httpdocs. Secondly, there are many backup solutions, including some fairly popular Plesk solutions that only backup the httpdocs directory so keeping everything inside ensures compatability with a wider array of software.
This method also play nice with a shared hosting environment like Dreamhost where your domain would live at ~/example.com/pub/.
/var/www/vhosts/example.com/httpdocs/sys
sys is my renamed system folder to keep my anal retentive tendencies in check and ensure each folder is three characters. This is the path I place in the $system variable in index.php file in EE2.
/var/www/vhosts/example.com/httpdocs/tpl
tpl is simply the templates folder broken out to make it easier to access without drilling down through system subfolders. I can place this in the site’s config.php file to let EE2 know where the templates are located.
/var/www/vhosts/example.com/httpdocs/lib
lib contains any 3rd party scripts in use on the site such as phpThumb or ReCaptcha.
Put all of this together and you have a simple and secure way to run on your EE2 website.
Posted on May 11, 2010
Email
Print
Post to Twitter
Post to Delicious
giuliano — 13:27 on 05.11.2010
Really simple and useful.
Thanks.
Christopher B — 13:28 on 05.11.2010
I too, have been looking into ways to secure an EE2 installation. The method of moving the system folder up one level outside of the public_html I have read about and seems the most secure. However, then how do you/client login to the backend. The is instead of going to example.com/system, where would you go to login to the Control Panel?
For your secure setup, you provided your naming scheme for your directories, and that you move some of the system directories into the main folder, but other than organization, what do you do to actually secure your system? That is I’m assuming httpdocs is the same thing as public_html correct? Thanks in advance!
Ryan Irelan — 13:34 on 05.11.2010
Christopher,
The client will still log in to the Control Panel using example.com/system. Setting that $system_folder variable is what tells EE where to look.
Christopher B — 13:45 on 05.11.2010
Oh I see. So other than being able to login, if you try accessing files directly such as the config (as you mentioned above) you would be unable to, if the system file is outside the public directory? (That makes sense)
But if you can still go to example.com/system, bots can still try to guess username and password correct? Meaning if you move the directory up one, it protects files better, but you would still want to change the directory name to something obscure to prevent the bots from accessing the login page right?
Going to eeinsider.com/sys however returns a page not found so maybe you have found away around this.
Also couldn’t someone simply turn on firebug to see which directory certain files were loading from to determine the name of the system file?
I’m use to Joomla and now WordPress so pardon my ignorance at EE. Though I did just purchase a copy of EE2 and a copy of your book I have just started. So I’ll be caught up soon!
Christopher B — 17:03 on 05.12.2010
After rereading, I now realize that /pub/ is your public directory, so infact sys, tpl, and lib are infact outside (above) the public directory. Makes much more sense now.
Question, in regards to, “I can place this in the site’s config.php file to let EE2 know where the templates are located.”
I looked in the config file and did not see an option for changing the location of the template folder. What code did you add to to do that? Thanks!
Mark Huot — 17:12 on 05.12.2010
@chris it’s not in the default config any more but a little sleuthing in EE and you’ll find you can add:
$config[‘tmpl_file_basepath’] = “.../tpl/”;
Christopher B — 17:13 on 05.12.2010
Awesome thanks Mark!
Ikaika Hussey — 04:05 on 06.02.2010
Does this same approach apply to EE 1.6.x?
Ebola — 04:33 on 06.02.2010
How do you access the system if you have placed it outside of document root? mod_rewrite?
Mark Huot — 07:39 on 06.04.2010
@Ikaika: Absolutely! And it works the same way, change the path in index.php as well as the template path in config.php
@Ebola: The control panel is accessed through the “masked control panel access.” In EE2 this is done by copying the `system/index.php` into the document root and pointing it at the system folder via a configurable path (within the file).
See:
* http://expressionengine.com/docs/installation/masked_cp_access.html
Adam — 16:55 on 06.24.2010
Thanks for this article, very useful- I’m interested in your method of keeping everything inside the traditional httpdocs directory and re-writing your Apache DOCUMENT_ROOT via a virtual host- it seems like a great way to develop a consistent, easily repeated EE installation but I get lost at re-writing the document root- I only took a quick look, but is that done via httpd.conf? Access to Apache configuration doesn’t seem to be typical within shared hosting environments, or at least not the one’s I’m familiar with- could you give a little more insight into that process?
Thanks!
Stuart McCOy — 20:51 on 06.28.2010
I’m with Adam here. I’m trying to develop a way to work on my MacBook Pro locally using virtual hosts to mimic the live site structure as close possible. I’d like to add this level of security and organization but I’d like to see a clearer step-by-step article explaining the process a little more clearly. I’ve got the virtual hosts stiff own, I’m a little stuck on the security, masked CP’s, etc. but putting this into the virtual hosts context would be helpful too.