EE Insider Blog

Spend your time learning and developing sites with ExpressionEngine and we'll use this blog to keep you informed of all the news related to ExpressionEngine and CodeIgniter.

» Read more in the Archives.

» Have a tip? Send us your EE news.

Learn ExpressionEngine Today

Over a series of 8 videos, watch and learn as Ryan builds an entire ExpressionEngine website from beginning to end. Get started now.

Ask the Readers: Simple or complicated system directory name?

There are two camps: those that use some really complicated, difficult to remember system folder name (e.g. /dhw793hdu2738/) and those that like to keep it simpler (e.g. /controlpanel/). Either way, it’s security through obscurity and there are way better ways to secure your EE site. But I want to ask the readers of EE Insider:

Do you name your system directory something simple or complicated?

Let us know in the comments!

(Pssst…if you use a certain directory name, you might not want to divulge it in the comments!)

Posted on Apr 06, 2010 by Ryan Irelan

Filed Under: Ask the Readers

Share on Twitter

I had initially been using obvious ones, like /cms and even made them a subdomain... until a site got hacked early on in development. Since then I always move the system folder above webroot. I've also taken to giving them slightly more unusual names, but still something familiar, and I don't put them as subdomain anymore.
Posted by moogaloo on 2010-04-12 21:35:07 Hmmm I like Chad's approach and might do that for my next build. Up until now I was using a naming system based on a set prefix and the clients site name.
Posted by Sean on 2010-04-10 01:23:50 I mask all of my CPs with random strings similar to Chad's approach (using 1Password for string generation). I keep the URL that the client uses something simple and always encourage them to book mark the URL anyways. Chad, why not just manually add a Z in the front if you want it at the bottom of the list of directory contents? :)
Posted by Erik Reagan on 2010-04-07 08:01:07 I'm surprised so many of you don't mask access to the CP, as John linked to above me. It takes 30 seconds and allows you to name the system folder anything you like, while hiding it from the users. I use 1password to generate a random 12 character string and name it that. I usually refresh the generator about 10 times and then keep refreshing until I get a string that starts with a letter near the end of the alphabet so that the folder appears at the bottom of the list of files and folders.
Posted by Chad Crowell on 2010-04-06 20:13:22 You can of course mask access to the CP and then name the system folder whatever you like: http://expressionengine.com/docs/installation/masked_cp_access.html
Posted by John Faulds on 2010-04-06 12:49:30 I do a simple, but not "system" or "admin" usually. Ryan, can you do a post on some ways to secure your control panel? Or at least a review of methods?
Posted by AJP on 2010-04-06 10:56:18 I rename it as an acronym that includes the website's name and a few other characters. So while it is easy to remember for people in the know, it is still slightly cryptic.
Posted by Alex Kendrick on 2010-04-06 10:23:22 Simple, something like backoffice, backend, backdoor, backstage, coulisses (French for backstage) and so on...
Posted by Emmanuel on 2010-04-06 10:15:15 Simple, as I encourage users to use the EE Control Panel rather than set up SAEF's. I've wondered if there is any value in using https for the CP?
Posted by Paul Frost on 2010-04-06 07:25:00 simple. not super simple but simple.
Posted by Hendrik-Jan Francke on 2010-04-06 06:19:00 I actually move the system directory out of the website root so it can't be accessed via URL/HTTP. Then I give the system index.php file a significant name, something not common but that clients won't forget. It's worked wonders, very secure!
Posted by Carlo Laitano on 2010-04-06 06:17:28 This might seem totally nerdy, but for my next ExpressionEngine website, I decided to name the control panel after Vector Sigma, the so-called computer operated by the Quintessons and Primus that gives "life" to the Transformers. I thought there was some awesome lore behind the television series and thought appropriate to give the site, database, etc. a hierarchical naming schematic that follows the structure on the show. Okay, I've said too much. I'm going to end up writing a novel here if I don't stop now.
Posted by mr_dimsum on 2010-04-06 06:03:23 I always use a random string for the system directory (eg. dkjh2782kj) or move it above web root. Then I set up another directory relating something within that client's industry and mask it to the complicated system directory. (eg. Supermarket client masked home directory would be 'face' or a lawyer firm's directory would be 'justice', etc) Something that the client can remember, but also, doesn't reveal the location of the real System folder and files.
Posted by Jacob Graf on 2010-04-06 06:00:49 It can't be too complicated, so the client will remember what the directory is called.
Posted by James on 2010-04-06 05:45:03 I don't have a standard method as such, but often I'll choose a word, phrase or combo that the site owner is familiar with.
Posted by bluedreamer on 2010-04-06 05:33:58

bluedreamer — 05:33 on 04.06.2010

I don’t have a standard method as such, but often I’ll choose a word, phrase or combo that the site owner is familiar with.

James — 05:45 on 04.06.2010

It can’t be too complicated, so the client will remember what the directory is called.

Jacob Graf — 06:00 on 04.06.2010

I always use a random string for the system directory (eg. dkjh2782kj) or move it above web root. Then I set up another directory relating something within that client’s industry and mask it to the complicated system directory. (eg. Supermarket client masked home directory would be ‘face’ or a lawyer firm’s directory would be ‘justice’, etc) Something that the client can remember, but also, doesn’t reveal the location of the real System folder and files.

mr_dimsum — 06:03 on 04.06.2010

This might seem totally nerdy, but for my next ExpressionEngine website, I decided to name the control panel after Vector Sigma, the so-called computer operated by the Quintessons and Primus that gives “life” to the Transformers.

I thought there was some awesome lore behind the television series and thought appropriate to give the site, database, etc. a hierarchical naming schematic that follows the structure on the show.

Okay, I’ve said too much. I’m going to end up writing a novel here if I don’t stop now.

Carlo Laitano — 06:17 on 04.06.2010

I actually move the system directory out of the website root so it can’t be accessed via URL/HTTP. Then I give the system index.php file a significant name, something not common but that clients won’t forget. It’s worked wonders, very secure!

Hendrik-Jan Francke — 06:19 on 04.06.2010

simple. not super simple but simple.

Paul Frost — 07:25 on 04.06.2010

Simple, as I encourage users to use the EE Control Panel rather than set up SAEF’s.

I’ve wondered if there is any value in using https for the CP?

Emmanuel — 10:15 on 04.06.2010

Simple, something like backoffice, backend, backdoor, backstage, coulisses (French for backstage) and so on…

Alex Kendrick — 10:23 on 04.06.2010

I rename it as an acronym that includes the website’s name and a few other characters. So while it is easy to remember for people in the know, it is still slightly cryptic.

AJP — 10:56 on 04.06.2010

I do a simple, but not “system” or “admin” usually.

Ryan, can you do a post on some ways to secure your control panel? Or at least a review of methods?

John Faulds — 12:49 on 04.06.2010

You can of course mask access to the CP and then name the system folder whatever you like: http://expressionengine.com/docs/installation/masked_cp_access.html

Chad Crowell — 20:13 on 04.06.2010

I’m surprised so many of you don’t mask access to the CP, as John linked to above me. It takes 30 seconds and allows you to name the system folder anything you like, while hiding it from the users.

I use 1password to generate a random 12 character string and name it that. I usually refresh the generator about 10 times and then keep refreshing until I get a string that starts with a letter near the end of the alphabet so that the folder appears at the bottom of the list of files and folders.

Erik Reagan — 08:01 on 04.07.2010

I mask all of my CPs with random strings similar to Chad’s approach (using 1Password for string generation). I keep the URL that the client uses something simple and always encourage them to book mark the URL anyways.

Chad, why not just manually add a Z in the front if you want it at the bottom of the list of directory contents?

Sean — 01:23 on 04.10.2010

Hmmm I like Chad’s approach and might do that for my next build. Up until now I was using a naming system based on a set prefix and the clients site name.

moogaloo — 21:35 on 04.12.2010

I had initially been using obvious ones, like /cms and even made them a subdomain… until a site got hacked early on in development.

Since then I always move the system folder above webroot. I’ve also taken to giving them slightly more unusual names, but still something familiar, and I don’t put them as subdomain anymore.

Copyright 2017 Mijingo, LLC and the authors. All Rights Reserved (including the best parking spot at the office). Please do not reuse this content without authorization, including full content syndication via the RSS feed. If you do, somewhere, a clown will cry.

EE Insider and its owner Mijingo, LLC are not affiliated with EllisLab, Inc., makers of ExpressionEngine. The ExpressionEngine name is a trademark of EllisLab, Inc.

EE Insider

ExpressionEngine Training Videos