Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
Security Advice
Hello TXP Community
Another bit of advice needed if you can…
Our website host “Media Temple” have recently “upgraded” us to a cPanel service without WHM so it’s a shared service. It no longer has ClamAV installed and barely any security. Apart from making sure all my websites have the most up-to-date version of TXP installed along with strong passwords is there anything else I can do to secure the websites further? They all have SSL certificates installed.
Offline
Re: Security Advice
Big ticket items:
- Move the temp dir out of Docroot (Prefs>Admin sub panel).
- Move the/files dir out of Docroot (ditto).
- Ensure you enable .htaccess in the /textpattern/plugins dir. Txp ships with .htaccess-dist so it needs renaming. If you’re using Nginx or another flavour of web server, take a similar approach and clamp down read/write/execute permissions and ownership to that directory as tight as you can.
- Minimize the number of user accounts, especially those with Publisher privs. The fewer accounts, the better, and encourage users to use really good passwords. Any accounts you’re unsure of or hasn’t logged in for ages, set to None privileges. Can always be reinstated if somebody complains.
- Turn off the Allow PHP in article/pages settings, unless you’re actively using those features.
- In the Advanced options (hidden by default so you need to flick the switch to show them, in the Admin sub panel of Prefs) try setting the Number of extra parser sweeps to 0. You might find pages or plugins that don’t work as well, so you may have to restore it to 1.
- Use smd_user_manager or rah_privileges to alter or reduce permissions to only the bare minimum that each role requires. Or create new roles with custom permissions and assign users to those instead.
- Install smd_prognostics which monitors your filesystem and will alert if anything changes. Not as good as pre-emptive monitoring but at least you’ll be able to spot anything fishy fairly quickly and take action asap.
Last edited by Bloke (2023-03-03 11:37:39)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Security Advice
Thank you as always Stef
Offline
Re: Security Advice
No worries. I just thought of a couple more so I edited the post.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Security Advice
miles wrote #334881:
Our website host “Media Temple” have recently “upgraded” us to a cPanel service without WHM so it’s a shared service.
Just a heads-up: MediaTemple got gobbled up by GoDaddy a while back. Anecdotally, GoDaddy have a tendency to either asset strip their acquisitions or just turn them into absolute trash technically or customer service-wise. This might be the thin end of the proverbial wedge…
Offline
Re: Security Advice
gaekwad wrote #334892:
Just a heads-up: MediaTemple got gobbled up by GoDaddy a while back….. This might be the thin end of the proverbial wedge…
amen to that
…. texted postive
Offline
Re: Security Advice
In addition to all the suggestions provided by Stef, consider using some form of CSP (Content Security Policy). For the Public side, see e.g this post . For the Admin side, for TXP 4.8.8 a strict CSP is is quite hard (inline styling and js handlers), but see the same thread for some suggestions. TXP 4.9 offers better support for a strict CSP policy but the (huge) problem is plugins…
It is not a magic elixir, but offers additional layers of protection
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: Security Advice
i am just wondering if there is a tested way of moving the whole textpattern/ directory up one level above the public folder, as is recommended for another cms i use?
Move the System Directory Above Webroot This is a more advanced procedure that provides even better security, but is not supported in all environments.
…. texted postive
Offline
Re: Security Advice
Thank you bloke, bici and phiw13 for such important tips. Why are not they listed in the System Security documentation?
Offline
Re: Security Advice
And also as a context-help pop-ups in Admin: Preferences: Admin panel, at least for File directory path (?) and Temporary directory path (?).
Offline
Re: Security Advice
Vienuolis wrote #334900:
Why are not they listed in the System Security documentation?
They are now ;) Thanks for the nudge.
Vienuolis wrote #334902:
And also as a context-help pop-ups in Admin: Preferences: Admin panel, at least for
File directory path (?)andTemporary directory path (?).
We could certainly mention this here. Good idea. Leave it with me. Edit: Done.
Last edited by Bloke (2023-03-07 20:39:01)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Security Advice
Nice explanation, I am proud reading that and declaring <meta name=generator content="Hiawatha, Textpattern, Textile"> in all of my publications, thank you very much!
Offline
Pages: 1