Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
#1 2016-09-30 14:15:05
- StFual
- Member
- Registered: 2016-09-30
- Posts: 19
New user New install question
I’ve followed the install script and have successfully installed textpattern. I’ve deleted the setup directory
Are the permissions listed somewhere as i would like to check everything is set as it should be.
Also config.php worries me. It has a user name and password in clear text. Should I be doing something to protect this? Should it be deleted after install ?
I was previously a wordpress user and got hacked several times. While i believe this was a hosting problem (many users got hacked at the same time) and i’ve now changed hosts I would like to start with and maintain best practises in Textpattern. Any advice appreciated.
Offline
Re: New user New install question
Hi StFual and welcome to txp
The permissions are set automatically so most people don not have to worry about them. If your diagnostics pass (Admin>Diagnostics) all should work just fine.
Regarding the config file being visible (to you via ftp), it is the case of all cms systems and it should not be deleted as it is needed to connect the cms to the database. You could of course add an htaccess rule for further protection.
<Files config.php>
deny from all
</Files>
As to the wordpress vulnerabilities, we are all too aware of them. Most txp sites which were hacked was because they were hosted in shared servers with wordpress installs used by their neighbours.
A comparison between Wordpress and Textpattern should put your mind at ease as the last txp known vulnerability was in 2014 and it was immediately patched by our developers.
Feel free to come back and ask any questions here. The community will offer any advice you may need on txp.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: New user New install question
colak wrote #301859:
You could of course add an htaccess rule for further protection.
<Files config.php> deny from all </Files>
great tip! wonder why this .htaccess file isn’t added as a default.
Last edited by bici (2016-09-30 16:46:09)
…. texted postive
Offline
Re: New user New install question
bici wrote #301860:
great tip! wonder why this .htaccess file isn’t added as a default.
This might also be of help. Add:
ServerSignature Off
<Files .htaccess>
order allow,deny
deny from all
</Files>
to protect the htaccess file and the server details.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: New user New install question
bici wrote #301860:
great tip! wonder why this .htaccess file isn’t added as a default.
Could be because if a server is compromised, then the .htaccess is largely irrelevant, and if a browser or user agent hits config.php
then a blank screen is shown.
Offline
Re: New user New install question
makes sense. But i like adding what Colak has suggested. i also added it to my EE sites.
…. texted postive
Offline
Pages: 1