You are not logged in.
2008-10-31 06:07:48
- mhulse
- Plugin Author
- êta
- Real name: Micky Hulse
- From: Eugene Oregon
What do you do to secure "/textpattern"?
Hi,
Just curious about best practice for securing the textpattern system folder… What technique do you use?
Is it best to re-name that folder? If so, is there a good tutorial on how to do it?
How ‘bout htaccess… Code example?
Thanks
Micky
Offline
2008-10-31 06:35:28
Re: What do you do to secure "/textpattern"?
Just use password funtion of .htaccess file, placed in /textpattern/ folder. But this needs some thinking about – css.php из inside this folder, so, you visitrs can “miss” you styles, if they are called by tag txp:css
Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?
Offline
2008-10-31 06:40:11
Re: What do you do to secure "/textpattern"?
Adding a second password might help.
Last edited by colak (2008-10-31 06:41:27)
neme.org | neme-imca.org | hblack.net | LABS
Offline
2008-10-31 07:23:26
- net-carver
- Admin
- psi
- Real name: Steve
- From: UK
- Known languages: English
- Website
Re: What do you do to secure "/textpattern"?
Micky
Great question. I’d like to see what others are doing. Here’s part of an experimental .htaccess I have on one site and it seems to work…
DirectoryIndex index.php index.html#Options +FollowSymLinks Options -Indexes<IfModule mod_rewrite.c> RewriteEngine On #RewriteBase /relative/web/path/# # Protect specific /textpattern folders by preventing Indexes and webfile access even if # Options -Indexes isn't allowed. # RewriteRule ^textpattern/lang/.* index.php RewriteRule ^textpattern/tmp/.* index.php RewriteRule ^textpattern/lib/.* index.php RewriteRule ^textpattern/include/.* index.php RewriteRule ^textpattern/publish/.* index.php RewriteRule ^textpattern/update/.* index.php # # Uncomment the following line if you are using cnk_versioning or hcg_templates... # #RewriteRule ^textpattern/_templates/.* index.php # # Uncomment the following line (adjust the path if needed) if your plugin-cache directory is under your site root... # #RewriteRule ^textpattern/plugins/.* index.php# # Otherwise, allow access to all existing files... # RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+) - [PT,L]# # But redirect all remaining access attempts to the public index script... # RewriteRule ^(.*) index.phpRewriteCond %{HTTP:Authorization} !^$ RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}] </IfModule>#php_value register_globals 0
I recommend turning off indexes unless you specifically need them. The .htaccess posted above does this but it might not work on your host if they don’t allow indexing to be turned off in .htaccess files. In that case, an alternative would be to ask your host to turn off indexes on your site in its virtual host file and failing that, just add a simple static index.html or index.php that redirects to the site root into every directory you don’t want Apache to index automatically.
Also make sure that your setup directory has been removed after you install textpattern.
Last edited by net-carver (2008-10-31 07:24:44)
— Steve
Textile | My plugins on GitHub | @netcarver
Offline
2008-10-31 14:08:09
Re: What do you do to secure "/textpattern"?
Ruud gave me this .htaccess a while back:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
RewriteRule ^(.*) - [F]
</IfModule>
Place it in your Textpattern folder.
It works by denying everything except what is needed for normal operation. I haven’t had any issues using it, it’s now a part of any new installation I do.
Offline
2008-10-31 15:24:47
- thebombsite
- Plugin Author
- omega
- Real name: Stuart
- From: Exmouth, England
- Known languages: Doh!
- Website
Re: What do you do to secure "/textpattern"?
Do you mean the actual /textpattern/ folder as opposed to the root Bert?
Stuart – The Bombsite – ProText Themes – Textgarden
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
2008-10-31 15:49:00
Re: What do you do to secure "/textpattern"?
thebombsite wrote:
Do you mean the actual /textpattern/ folder as opposed to the root Bert?
I’m no Bert, but yes; You need it only for /textpattern/ dir. Note that the script can reduce your server’s performance (a lot), but it works :)
Last edited by Gocom (2008-10-31 15:49:58)
Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />
Offline
2008-10-31 16:16:29
Re: What do you do to secure "/textpattern"?
thebombsite wrote:
Do you mean the actual /textpattern/ folder as opposed to the root Bert?
Yes, right alongside the config.php file.
Offline
2008-10-31 16:50:17
- thebombsite
- Plugin Author
- omega
- Real name: Stuart
- From: Exmouth, England
- Known languages: Doh!
- Website
Re: What do you do to secure "/textpattern"?
OK. Thanks both. :)
Stuart – The Bombsite – ProText Themes – Textgarden
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
2008-11-02 16:51:26
Re: What do you do to secure "/textpattern"?
[This was added to the wiki a long while ago, Renaming the Textpattern Admin Directory for Added Security.] Ed. That link is now obsolete, see revision details.
Last edited by Destry (2008-11-03 22:03:35)
Offline