Learn some best practices of security for your EE site.
Secure the permissions of your site
Limiting the file permissions can improve the security of ExpressionEngine. However, this process can be tricky as file permissions depend on your hosting environment and the access needed by certain plugins. Generally, you want to restrict access to all non-owners. In practice, this usually means everyone other than yourself. Refer to How to configure ExpressionEngine permissions and ownership for more information.
Change the administrator login web address
Obscuring the path to the ExpressionEngine administrator panel can help prevent intrusions. Easily guessed administrator login pages are much more likely to fall under brute force attempts to gain access. Changing the ExpressionEngine administrator web address or URL hides the login page to thwart unwanted access attempts. To do so, rename the admin.php file to one of your choosing, then edit the line shown below in the system/expressionengine/config/config.php file to reflect the new name of the admin.php file.
$config[‘cp_url’] = “http://domain.tld/newname.php
Manage access points
You can access your site through SSH, FTP, or the SiteWorx control panel, and the choice depends on your objective. Each of these protocols should have different passwords and should follow your password policy. Always use secure methods of accessing your site and moving or modifying the content of the site. Finally, connection methods like SSH, SFTP, or SCP offer relatively easy ways to provide an additional layer of security.
Deploy changes responsibly
The installation of extensions, themes, and other applications can create vulnerabilities. The best way to minimize this threat is to first implement all new changes in a development environment. Frequently referred to as a “dev site,” this environment is an exact copy of your live site, but changes made to it do not affect your actual website. We also recommend you backup both the site files and the database before making any changes, as these form the final line of defense against security breaches and data corruption.
Implement your own password policy
A password policy states requirements for passwords.
We recommend the following conventions when adopting a strong password policy:
- Do not use a password that is not easily guessed or decoded.
- Establish complexity requirements.
- Change the password regularly.
Do not recycle passwords.
Change or move the system folder
Obscuring the path of the ExpressionEngine system folder can help prevent intrusions. The system folder is the core of your ExpressionEngine install and contains sensitive information. To change the name of the system folder, edit the line below in both the index.php file and admin.php file.
$system_path = ‘.newsecurename’;
Once this line is edited in both files, rename the system folder to reflect the new name.
Moving the system folder outside of the webroot can also improve security. To move the system folder, edit the line below in both the index.php file and admin.php file, then move the directory to the specified location:
$system_path = ‘../system’;
The above example moves the system folder up one directory.
Add CAPTCHAs to forms
CAPTCHAs offer additional validation for forms to prevent aggressive spamming. Before users may submit a form, they must read and enter a generated code for each post. Most newer versions of ExpressionEngine include the CAPTCHA feature and require minimal effort to implement. CAPTCHAs can be implemented on comment forms, member registration forms, and contact or tell-a-friend forms. For more information on implementing CAPTCHAs, refer to the EllisLab website.