What do you do to secure "/textpattern"?

mhulse · 2008-10-31 06:07:48

Hi,

Just curious about best practice for securing the textpattern system folder… What technique do you use?

Is it best to re-name that folder? If so, is there a good tutorial on how to do it?

How ‘bout htaccess… Code example?

Thanks
Micky

the_ghost · 2008-10-31 06:35:28

Just use password funtion of .htaccess file, placed in /textpattern/ folder. But this needs some thinking about – css.php из inside this folder, so, you visitrs can “miss” you styles, if they are called by tag txp:css

colak · 2008-10-31 06:40:11

Adding a second password might help.

Last edited by colak (2008-10-31 06:41:27)

net-carver · 2008-10-31 07:23:26

Micky

Great question. I’d like to see what others are doing. Here’s part of an experimental .htaccess I have on one site and it seems to work…

DirectoryIndex index.php index.html

#Options +FollowSymLinks
Options -Indexes

<IfModule mod_rewrite.c>
	RewriteEngine On
	#RewriteBase /relative/web/path/

	#
	#	Protect specific /textpattern folders by preventing Indexes and webfile access even if
	# Options -Indexes isn't allowed. 
	#
	RewriteRule ^textpattern/lang/.* index.php
	RewriteRule ^textpattern/tmp/.* index.php
	RewriteRule ^textpattern/lib/.* index.php
	RewriteRule ^textpattern/include/.* index.php
	RewriteRule ^textpattern/publish/.* index.php
	RewriteRule ^textpattern/update/.* index.php
	#
	#	Uncomment the following line if you are using cnk_versioning or hcg_templates...
	#
	#RewriteRule ^textpattern/_templates/.* index.php
	#
	#	Uncomment the following line (adjust the path if needed) if your plugin-cache directory is under your site root...
	#
	#RewriteRule ^textpattern/plugins/.* index.php

	#
	#	Otherwise, allow access to all existing files...
	#
	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^(.+) - [PT,L]

	#
	#	But redirect all remaining access attempts to the public index script...
	#
	RewriteRule ^(.*) index.php

	RewriteCond %{HTTP:Authorization}  !^$
	RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
</IfModule>

#php_value register_globals 0

I recommend turning off indexes unless you specifically need them. The .htaccess posted above does this but it might not work on your host if they don’t allow indexing to be turned off in .htaccess files. In that case, an alternative would be to ask your host to turn off indexes on your site in its virtual host file and failing that, just add a simple static index.html or index.php that redirects to the site root into every directory you don’t want Apache to index automatically.

Also make sure that your setup directory has been removed after you install textpattern.

Last edited by net-carver (2008-10-31 07:24:44)

hcgtv · 2008-10-31 14:08:09

Ruud gave me this .htaccess a while back:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
 RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
 RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
 RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
 RewriteRule ^(.*) - [F]
</IfModule>

Place it in your Textpattern folder.

It works by denying everything except what is needed for normal operation. I haven’t had any issues using it, it’s now a part of any new installation I do.

thebombsite · 2008-10-31 15:24:47

Do you mean the actual /textpattern/ folder as opposed to the root Bert?

Gocom · 2008-10-31 15:49:00

thebombsite wrote:

Do you mean the actual /textpattern/ folder as opposed to the root Bert?

I’m no Bert, but yes; You need it only for /textpattern/ dir. Note that the script can reduce your server’s performance (a lot), but it works :)

Last edited by Gocom (2008-10-31 15:49:58)

hcgtv · 2008-10-31 16:16:29

thebombsite wrote:

Do you mean the actual /textpattern/ folder as opposed to the root Bert?

Yes, right alongside the config.php file.

thebombsite · 2008-10-31 16:50:17

OK. Thanks both. :)

Destry · 2008-11-02 16:51:26

~~[This was added to the wiki a long while ago, Renaming the Textpattern Admin Directory for Added Security.~~ Ed. That link is now obsolete, see revision details.

Last edited by Destry (2008-11-03 22:03:35)

driz · 2008-11-03 19:06:51

The way I do this, is rename my textpattern/ folder and then create a section/page called ‘textpattern’ add <txp:txp_die status=“403” />
That way you people who know where the Txp folder is be default will be greeted with a Forbidden page :) simple. Not only that, but most people will be fooled into thinking that you HAVEN’T renamed the folder (meaning they won’t try to guess the new directory) they will just assume that you have blocked access but to certain person’s

Here is mine for a quick example: http://simplecandy.com/textpattern/

Last edited by driz (2008-11-03 19:09:43)

MattD · 2008-11-03 19:08:57

driz wrote:

The way I do this, is rename my textpattern/ folder and then create a section/page called ‘textpattern’ add <txp:txp_die status=“403” />
That way you people who know where the Txp folder is be default will be greeted with a Forbidden page :) simple.

Here is mine for a quick example: http://simplecandy.com/textpattern/

Wouldn’t a 404 be better than a 403?

Textpattern CMS

Textpattern CMS support forum

#1 2008-10-31 06:07:48

What do you do to secure "/textpattern"?

#2 2008-10-31 06:35:28

Re: What do you do to secure "/textpattern"?

#3 2008-10-31 06:40:11

Re: What do you do to secure "/textpattern"?

#4 2008-10-31 07:23:26

Re: What do you do to secure "/textpattern"?

#5 2008-10-31 14:08:09

Re: What do you do to secure "/textpattern"?

#6 2008-10-31 15:24:47

Re: What do you do to secure "/textpattern"?

#7 2008-10-31 15:49:00

Re: What do you do to secure "/textpattern"?

#8 2008-10-31 16:16:29

Re: What do you do to secure "/textpattern"?

#9 2008-10-31 16:50:17

Re: What do you do to secure "/textpattern"?

#10 2008-11-02 16:51:26

Re: What do you do to secure "/textpattern"?

#11 2008-11-03 19:06:51

Re: What do you do to secure "/textpattern"?

#12 2008-11-03 19:08:57

Re: What do you do to secure "/textpattern"?

Board footer