Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2008-10-31 06:07:48
- mhulse
- Plugin Author
- From: Eugene Oregon
- Registered: 2005-01-21
- Posts: 200
What do you do to secure "/textpattern"?
Hi,
Just curious about best practice for securing the textpattern system folder… What technique do you use?
Is it best to re-name that folder? If so, is there a good tutorial on how to do it?
How ‘bout htaccess… Code example?
Thanks
Micky
Offline
Re: What do you do to secure "/textpattern"?
Just use password funtion of .htaccess file, placed in /textpattern/ folder. But this needs some thinking about – css.php из inside this folder, so, you visitrs can “miss” you styles, if they are called by tag txp:css
Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?
Offline
Re: What do you do to secure "/textpattern"?
Adding a second password might help.
Last edited by colak (2008-10-31 06:41:27)
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Online
#4 2008-10-31 07:23:26
- net-carver
- Archived Plugin Author
- Registered: 2006-03-08
- Posts: 1,648
Re: What do you do to secure "/textpattern"?
Micky
Great question. I’d like to see what others are doing. Here’s part of an experimental .htaccess I have on one site and it seems to work…
DirectoryIndex index.php index.html
#Options +FollowSymLinks
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
#RewriteBase /relative/web/path/
#
# Protect specific /textpattern folders by preventing Indexes and webfile access even if
# Options -Indexes isn't allowed.
#
RewriteRule ^textpattern/lang/.* index.php
RewriteRule ^textpattern/tmp/.* index.php
RewriteRule ^textpattern/lib/.* index.php
RewriteRule ^textpattern/include/.* index.php
RewriteRule ^textpattern/publish/.* index.php
RewriteRule ^textpattern/update/.* index.php
#
# Uncomment the following line if you are using cnk_versioning or hcg_templates...
#
#RewriteRule ^textpattern/_templates/.* index.php
#
# Uncomment the following line (adjust the path if needed) if your plugin-cache directory is under your site root...
#
#RewriteRule ^textpattern/plugins/.* index.php
#
# Otherwise, allow access to all existing files...
#
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+) - [PT,L]
#
# But redirect all remaining access attempts to the public index script...
#
RewriteRule ^(.*) index.php
RewriteCond %{HTTP:Authorization} !^$
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
</IfModule>
#php_value register_globals 0
I recommend turning off indexes unless you specifically need them. The .htaccess posted above does this but it might not work on your host if they don’t allow indexing to be turned off in .htaccess files. In that case, an alternative would be to ask your host to turn off indexes on your site in its virtual host file and failing that, just add a simple static index.html or index.php that redirects to the site root into every directory you don’t want Apache to index automatically.
Also make sure that your setup directory has been removed after you install textpattern.
Last edited by net-carver (2008-10-31 07:24:44)
— Steve
Offline
Re: What do you do to secure "/textpattern"?
Ruud gave me this .htaccess a while back:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
RewriteRule ^(.*) - [F]
</IfModule>
Place it in your Textpattern folder.
It works by denying everything except what is needed for normal operation. I haven’t had any issues using it, it’s now a part of any new installation I do.
We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make
Offline
Re: What do you do to secure "/textpattern"?
Do you mean the actual /textpattern/ folder as opposed to the root Bert?
Stuart
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
Re: What do you do to secure "/textpattern"?
thebombsite wrote:
Do you mean the actual /textpattern/ folder as opposed to the root Bert?
I’m no Bert, but yes; You need it only for /textpattern/ dir. Note that the script can reduce your server’s performance (a lot), but it works :)
Last edited by Gocom (2008-10-31 15:49:58)
Offline
Re: What do you do to secure "/textpattern"?
thebombsite wrote:
Do you mean the actual /textpattern/ folder as opposed to the root Bert?
Yes, right alongside the config.php file.
We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make
Offline
Re: What do you do to secure "/textpattern"?
OK. Thanks both. :)
Stuart
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
Re: What do you do to secure "/textpattern"?
[This was added to the wiki a long while ago, Renaming the Textpattern Admin Directory for Added Security. Ed. That link is now obsolete, see revision details.
Last edited by Destry (2008-11-03 22:03:35)
Offline
Re: What do you do to secure "/textpattern"?
The way I do this, is rename my textpattern/ folder and then create a section/page called ‘textpattern’ add <txp:txp_die status=“403” />
That way you people who know where the Txp folder is be default will be greeted with a Forbidden page :) simple. Not only that, but most people will be fooled into thinking that you HAVEN’T renamed the folder (meaning they won’t try to guess the new directory) they will just assume that you have blocked access but to certain person’s
Here is mine for a quick example: http://simplecandy.com/textpattern/
Last edited by driz (2008-11-03 19:09:43)
~ Cameron
Offline
Re: What do you do to secure "/textpattern"?
driz wrote:
The way I do this, is rename my textpattern/ folder and then create a section/page called ‘textpattern’ add <txp:txp_die status=“403” />
That way you people who know where the Txp folder is be default will be greeted with a Forbidden page :) simple.Here is mine for a quick example: http://simplecandy.com/textpattern/
Wouldn’t a 404 be better than a 403?
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline