Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2008-10-31 06:07:48

mhulse
Plugin Author
From: Eugene Oregon
Registered: 2005-01-21
Posts: 200

What do you do to secure "/textpattern"?

Hi,

Just curious about best practice for securing the textpattern system folder… What technique do you use?

Is it best to re-name that folder? If so, is there a good tutorial on how to do it?

How ‘bout htaccess… Code example?

Thanks
Micky

Offline

#2 2008-10-31 06:35:28

the_ghost
Plugin Author
From: Minsk, The Republic of Belarus
Registered: 2007-07-26
Posts: 907
Website

Re: What do you do to secure "/textpattern"?

Just use password funtion of .htaccess file, placed in /textpattern/ folder. But this needs some thinking about – css.php из inside this folder, so, you visitrs can “miss” you styles, if they are called by tag txp:css


Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?

Offline

#3 2008-10-31 06:40:11

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: What do you do to secure "/textpattern"?

Adding a second password might help.

Last edited by colak (2008-10-31 06:41:27)


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#4 2008-10-31 07:23:26

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

Re: What do you do to secure "/textpattern"?

Micky

Great question. I’d like to see what others are doing. Here’s part of an experimental .htaccess I have on one site and it seems to work…

DirectoryIndex index.php index.html

#Options +FollowSymLinks
Options -Indexes

<IfModule mod_rewrite.c>
	RewriteEngine On
	#RewriteBase /relative/web/path/

	#
	#	Protect specific /textpattern folders by preventing Indexes and webfile access even if
	# Options -Indexes isn't allowed. 
	#
	RewriteRule ^textpattern/lang/.* index.php
	RewriteRule ^textpattern/tmp/.* index.php
	RewriteRule ^textpattern/lib/.* index.php
	RewriteRule ^textpattern/include/.* index.php
	RewriteRule ^textpattern/publish/.* index.php
	RewriteRule ^textpattern/update/.* index.php
	#
	#	Uncomment the following line if you are using cnk_versioning or hcg_templates...
	#
	#RewriteRule ^textpattern/_templates/.* index.php
	#
	#	Uncomment the following line (adjust the path if needed) if your plugin-cache directory is under your site root...
	#
	#RewriteRule ^textpattern/plugins/.* index.php

	#
	#	Otherwise, allow access to all existing files...
	#
	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^(.+) - [PT,L]

	#
	#	But redirect all remaining access attempts to the public index script...
	#
	RewriteRule ^(.*) index.php

	RewriteCond %{HTTP:Authorization}  !^$
	RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
</IfModule>

#php_value register_globals 0

I recommend turning off indexes unless you specifically need them. The .htaccess posted above does this but it might not work on your host if they don’t allow indexing to be turned off in .htaccess files. In that case, an alternative would be to ask your host to turn off indexes on your site in its virtual host file and failing that, just add a simple static index.html or index.php that redirects to the site root into every directory you don’t want Apache to index automatically.

Also make sure that your setup directory has been removed after you install textpattern.

Last edited by net-carver (2008-10-31 07:24:44)


Steve

Offline

#5 2008-10-31 14:08:09

hcgtv
Plugin Author
From: Key Largo, Florida
Registered: 2005-11-29
Posts: 2,722
Website

Re: What do you do to secure "/textpattern"?

Ruud gave me this .htaccess a while back:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
 RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
 RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
 RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
 RewriteRule ^(.*) - [F]
</IfModule>

Place it in your Textpattern folder.

It works by denying everything except what is needed for normal operation. I haven’t had any issues using it, it’s now a part of any new installation I do.

Offline

#6 2008-10-31 15:24:47

thebombsite
Archived Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: What do you do to secure "/textpattern"?

Do you mean the actual /textpattern/ folder as opposed to the root Bert?


Stuart

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#7 2008-10-31 15:49:00

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: What do you do to secure "/textpattern"?

thebombsite wrote:

Do you mean the actual /textpattern/ folder as opposed to the root Bert?

I’m no Bert, but yes; You need it only for /textpattern/ dir. Note that the script can reduce your server’s performance (a lot), but it works :)

Last edited by Gocom (2008-10-31 15:49:58)

Offline

#8 2008-10-31 16:16:29

hcgtv
Plugin Author
From: Key Largo, Florida
Registered: 2005-11-29
Posts: 2,722
Website

Re: What do you do to secure "/textpattern"?

thebombsite wrote:

Do you mean the actual /textpattern/ folder as opposed to the root Bert?

Yes, right alongside the config.php file.

Offline

#9 2008-10-31 16:50:17

thebombsite
Archived Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: What do you do to secure "/textpattern"?

OK. Thanks both. :)


Stuart

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#10 2008-11-02 16:51:26

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,909
Website

Re: What do you do to secure "/textpattern"?

[This was added to the wiki a long while ago, Renaming the Textpattern Admin Directory for Added Security. Ed. That link is now obsolete, see revision details.

Last edited by Destry (2008-11-03 22:03:35)

Offline

#11 2008-11-03 19:06:51

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

The way I do this, is rename my textpattern/ folder and then create a section/page called ‘textpattern’ add <txp:txp_die status=“403” />
That way you people who know where the Txp folder is be default will be greeted with a Forbidden page :) simple. Not only that, but most people will be fooled into thinking that you HAVEN’T renamed the folder (meaning they won’t try to guess the new directory) they will just assume that you have blocked access but to certain person’s

Here is mine for a quick example: http://simplecandy.com/textpattern/

Last edited by driz (2008-11-03 19:09:43)


~ Cameron

Offline

#12 2008-11-03 19:08:57

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,254
Website

Re: What do you do to secure "/textpattern"?

driz wrote:

The way I do this, is rename my textpattern/ folder and then create a section/page called ‘textpattern’ add <txp:txp_die status=“403” />
That way you people who know where the Txp folder is be default will be greeted with a Forbidden page :) simple.

Here is mine for a quick example: http://simplecandy.com/textpattern/

Wouldn’t a 404 be better than a 403?


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

Board footer

Powered by FluxBB