Textpattern Forum

You are not logged in. Register | Login | Help

#1 2008-10-31 06:07:48

mhulse
Plugin Author
From: Eugene Oregon
Registered: 2005-01-21
Posts: 200

What do you do to secure "/textpattern"?

Hi,

Just curious about best practice for securing the textpattern system folder… What technique do you use?

Is it best to re-name that folder? If so, is there a good tutorial on how to do it?

How ‘bout htaccess… Code example?

Thanks
Micky

Offline

#2 2008-10-31 06:35:28

the_ghost
Plugin Author
From: Minsk, The Republic of Belarus
Registered: 2007-07-26
Posts: 907
Website

Re: What do you do to secure "/textpattern"?

Just use password funtion of .htaccess file, placed in /textpattern/ folder. But this needs some thinking about – css.php из inside this folder, so, you visitrs can “miss” you styles, if they are called by tag txp:css


Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?

Offline

#3 2008-10-31 06:40:11

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 4,948
Website

Re: What do you do to secure "/textpattern"?

Adding a second password might help.

Last edited by colak (2008-10-31 06:41:27)


Yiannis
——————————
neme.org | neme-imca.org | hblack.net | LABS

Offline

#4 2008-10-31 07:23:26

net-carver
Admin
From: UK
Registered: 2006-03-08
Posts: 1,648

Re: What do you do to secure "/textpattern"?

Micky

Great question. I’d like to see what others are doing. Here’s part of an experimental .htaccess I have on one site and it seems to work…

DirectoryIndex index.php index.html

#Options +FollowSymLinks
Options -Indexes

<IfModule mod_rewrite.c>
	RewriteEngine On
	#RewriteBase /relative/web/path/

	#
	#	Protect specific /textpattern folders by preventing Indexes and webfile access even if
	# Options -Indexes isn't allowed. 
	#
	RewriteRule ^textpattern/lang/.* index.php
	RewriteRule ^textpattern/tmp/.* index.php
	RewriteRule ^textpattern/lib/.* index.php
	RewriteRule ^textpattern/include/.* index.php
	RewriteRule ^textpattern/publish/.* index.php
	RewriteRule ^textpattern/update/.* index.php
	#
	#	Uncomment the following line if you are using cnk_versioning or hcg_templates...
	#
	#RewriteRule ^textpattern/_templates/.* index.php
	#
	#	Uncomment the following line (adjust the path if needed) if your plugin-cache directory is under your site root...
	#
	#RewriteRule ^textpattern/plugins/.* index.php

	#
	#	Otherwise, allow access to all existing files...
	#
	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^(.+) - [PT,L]

	#
	#	But redirect all remaining access attempts to the public index script...
	#
	RewriteRule ^(.*) index.php

	RewriteCond %{HTTP:Authorization}  !^$
	RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
</IfModule>

#php_value register_globals 0

I recommend turning off indexes unless you specifically need them. The .htaccess posted above does this but it might not work on your host if they don’t allow indexing to be turned off in .htaccess files. In that case, an alternative would be to ask your host to turn off indexes on your site in its virtual host file and failing that, just add a simple static index.html or index.php that redirects to the site root into every directory you don’t want Apache to index automatically.

Also make sure that your setup directory has been removed after you install textpattern.

Last edited by net-carver (2008-10-31 07:24:44)


Steve
Textile | My plugins on GitHub | @netcarver

Offline

#5 2008-10-31 14:08:09

hcgtv
Member
From: Charlotte, NC
Registered: 2005-11-29
Posts: 2,154
Website

Re: What do you do to secure "/textpattern"?

Ruud gave me this .htaccess a while back:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
 RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
 RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
 RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
 RewriteRule ^(.*) - [F]
</IfModule>

Place it in your Textpattern folder.

It works by denying everything except what is needed for normal operation. I haven’t had any issues using it, it’s now a part of any new installation I do.


txp:tag – Textpattern Tags ~ TxPlanet – Textpattern Planet

Offline

#6 2008-10-31 15:24:47

thebombsite
Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: What do you do to secure "/textpattern"?

Do you mean the actual /textpattern/ folder as opposed to the root Bert?


Stuart – The BombsiteProText ThemesTextgarden

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#7 2008-10-31 15:49:00

Gocom
Developer
Registered: 2006-07-14
Posts: 4,473
Website

Re: What do you do to secure "/textpattern"?

thebombsite wrote:

Do you mean the actual /textpattern/ folder as opposed to the root Bert?

I’m no Bert, but yes; You need it only for /textpattern/ dir. Note that the script can reduce your server’s performance (a lot), but it works :)

Last edited by Gocom (2008-10-31 15:49:58)


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

#8 2008-10-31 16:16:29

hcgtv
Member
From: Charlotte, NC
Registered: 2005-11-29
Posts: 2,154
Website

Re: What do you do to secure "/textpattern"?

thebombsite wrote:

Do you mean the actual /textpattern/ folder as opposed to the root Bert?

Yes, right alongside the config.php file.


txp:tag – Textpattern Tags ~ TxPlanet – Textpattern Planet

Offline

#9 2008-10-31 16:50:17

thebombsite
Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: What do you do to secure "/textpattern"?

OK. Thanks both. :)


Stuart – The BombsiteProText ThemesTextgarden

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#10 2008-11-02 16:51:26

Destry
Moderator
From: Strasbourg, France
Registered: 2004-08-04
Posts: 2,359
Website

Re: What do you do to secure "/textpattern"?

[This was added to the wiki a long while ago, Renaming the Textpattern Admin Directory for Added Security. Ed. That link is now obsolete, see revision details.

Last edited by Destry (2008-11-03 22:03:35)

Offline

Board footer

Powered by FluxBB