Nexcess Logo

How to secure your ExpressionEngine site

Knowledge Base Home

Notice anything different?

We've enhanced the appearance of our portal and we're working on updating screenshots. Things might look different, but the functionality remains the same.
September 08, 2019

Learn some best practices of security for your EE site.

Secure the permissions of your site

Limiting the file permissions can improve the security of ExpressionEngine. However, this process can be tricky as file permissions depend on your hosting environment and the access needed by certain plugins. Generally, you want to restrict access to all non-owners. In practice, this usually means everyone other than yourself. Refer to How to configure ExpressionEngine permissions and ownership for more information.

Change the administrator login web address

Obscuring the path to the ExpressionEngine administrator panel can help prevent intrusions. Easily guessed administrator login pages are much more likely to fall under brute force attempts to gain access. Changing the ExpressionEngine administrator web address or URL hides the login page to thwart unwanted access attempts. To do so, rename the admin.php file to one of your choosing, then edit the line shown below in the system/expressionengine/config/config.php file to reflect the new name of the admin.php file.

$config[‘cp_url’] = “http://domain.tld/newname.php

Manage access points

You can access your site through SSH, FTP, or the SiteWorx control panel, and the choice depends on your objective. Each of these protocols should have different passwords and should follow your password policy. Always use secure methods of accessing your site and moving or modifying the content of the site. Finally, connection methods like SSH, SFTP, or SCP offer relatively easy ways to provide an additional layer of security.

Deploy changes responsibly

The installation of extensions, themes, and other applications can create vulnerabilities. The best way to minimize this threat is to first implement all new changes in a development environment. Frequently referred to as a “dev site,” this environment is an exact copy of your live site, but changes made to it do not affect your actual website. We also recommend you backup both the site files and the database before making any changes, as these form the final line of defense against security breaches and data corruption.

Implement your own password policy

A password policy states requirements for passwords.

We recommend the following conventions when adopting a strong password policy:

  • Do not use a password that is not easily guessed or decoded.
  • Establish complexity requirements.
  • Change the password regularly.
  • Do not recycle passwords.

Consider using the Nexcess Secure Password Generator to help generate a secure custom password. For assistance with using this, refer to How to generate a secure password.

Change or move the system folder

Obscuring the path of the ExpressionEngine system folder can help prevent intrusions. The system folder is the core of your ExpressionEngine install and contains sensitive information. To change the name of the system folder, edit the line below in both the index.php file and admin.php file.

$system_path = ‘.newsecurename’;

Once this line is edited in both files, rename the system folder to reflect the new name.

Moving the system folder outside of the webroot can also improve security. To move the system folder, edit the line below in both the index.php file and admin.php file, then move the directory to the specified location:

$system_path = ‘../system’;

The above example moves the system folder up one directory.

Add CAPTCHAs to forms

CAPTCHAs offer additional validation for forms to prevent aggressive spamming. Before users may submit a form, they must read and enter a generated code for each post. Most newer versions of ExpressionEngine include the CAPTCHA feature and require minimal effort to implement. CAPTCHAs can be implemented on comment forms, member registration forms, and contact or tell-a-friend forms. For more information on implementing CAPTCHAs, refer to the EllisLab website.

For 24-hour assistance any day of the year, contact our support team by email or through your Client Portal.

Jason Dobry
We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.