Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2023-03-03 10:38:16

miles
Member
From: Plymouth
Registered: 2008-05-22
Posts: 78
Website

Security Advice

Hello TXP Community

Another bit of advice needed if you can…

Our website host “Media Temple” have recently “upgraded” us to a cPanel service without WHM so it’s a shared service. It no longer has ClamAV installed and barely any security. Apart from making sure all my websites have the most up-to-date version of TXP installed along with strong passwords is there anything else I can do to secure the websites further? They all have SSL certificates installed.

Offline

#2 2023-03-03 11:25:23

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Security Advice

Big ticket items:

  • Move the temp dir out of Docroot (Prefs>Admin sub panel).
  • Move the/files dir out of Docroot (ditto).
  • Ensure you enable .htaccess in the /textpattern/plugins dir. Txp ships with .htaccess-dist so it needs renaming. If you’re using Nginx or another flavour of web server, take a similar approach and clamp down read/write/execute permissions and ownership to that directory as tight as you can.
  • Minimize the number of user accounts, especially those with Publisher privs. The fewer accounts, the better, and encourage users to use really good passwords. Any accounts you’re unsure of or hasn’t logged in for ages, set to None privileges. Can always be reinstated if somebody complains.
  • Turn off the Allow PHP in article/pages settings, unless you’re actively using those features.
  • In the Advanced options (hidden by default so you need to flick the switch to show them, in the Admin sub panel of Prefs) try setting the Number of extra parser sweeps to 0. You might find pages or plugins that don’t work as well, so you may have to restore it to 1.
Optional items:
  • Use smd_user_manager or rah_privileges to alter or reduce permissions to only the bare minimum that each role requires. Or create new roles with custom permissions and assign users to those instead.
  • Install smd_prognostics which monitors your filesystem and will alert if anything changes. Not as good as pre-emptive monitoring but at least you’ll be able to spot anything fishy fairly quickly and take action asap.

Last edited by Bloke (2023-03-03 11:37:39)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#3 2023-03-03 11:36:38

miles
Member
From: Plymouth
Registered: 2008-05-22
Posts: 78
Website

Re: Security Advice

Thank you as always Stef

Offline

#4 2023-03-03 11:38:20

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Security Advice

No worries. I just thought of a couple more so I edited the post.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#5 2023-03-03 18:17:31

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: Security Advice

miles wrote #334881:

Our website host “Media Temple” have recently “upgraded” us to a cPanel service without WHM so it’s a shared service.

Just a heads-up: MediaTemple got gobbled up by GoDaddy a while back. Anecdotally, GoDaddy have a tendency to either asset strip their acquisitions or just turn them into absolute trash technically or customer service-wise. This might be the thin end of the proverbial wedge…

Offline

#6 2023-03-03 23:56:31

bici
Member
From: vancouver
Registered: 2004-02-24
Posts: 2,072
Website Mastodon

Re: Security Advice

gaekwad wrote #334892:

Just a heads-up: MediaTemple got gobbled up by GoDaddy a while back….. This might be the thin end of the proverbial wedge…

amen to that


…. texted postive

Offline

#7 2023-03-04 00:54:28

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,058
Website

Re: Security Advice

In addition to all the suggestions provided by Stef, consider using some form of CSP (Content Security Policy). For the Public side, see e.g this post . For the Admin side, for TXP 4.8.8 a strict CSP is is quite hard (inline styling and js handlers), but see the same thread for some suggestions. TXP 4.9 offers better support for a strict CSP policy but the (huge) problem is plugins…

It is not a magic elixir, but offers additional layers of protection


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#8 2023-03-04 01:43:25

bici
Member
From: vancouver
Registered: 2004-02-24
Posts: 2,072
Website Mastodon

Re: Security Advice

i am just wondering if there is a tested way of moving the whole textpattern/ directory up one level above the public folder, as is recommended for another cms i use?

Move the System Directory Above Webroot
This is a more advanced procedure that provides even better security, but is not supported in all environments.

…. texted postive

Offline

#9 2023-03-04 10:25:20

Vienuolis
Member
From: Vilnius, Lithuania
Registered: 2009-06-14
Posts: 307
Website GitHub GitLab Twitter

Re: Security Advice

Thank you bloke, bici and phiw13 for such important tips. Why are not they listed in the System Security documentation?

Offline

#10 2023-03-04 10:47:38

Vienuolis
Member
From: Vilnius, Lithuania
Registered: 2009-06-14
Posts: 307
Website GitHub GitLab Twitter

Re: Security Advice

And also as a context-help pop-ups in Admin: Preferences: Admin panel, at least for File directory path (?) and Temporary directory path (?).

Offline

#11 2023-03-07 20:20:53

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Security Advice

Vienuolis wrote #334900:

Why are not they listed in the System Security documentation?

They are now ;) Thanks for the nudge.

Vienuolis wrote #334902:

And also as a context-help pop-ups in Admin: Preferences: Admin panel, at least for File directory path (?) and Temporary directory path (?).

We could certainly mention this here. Good idea. Leave it with me. Edit: Done.

Last edited by Bloke (2023-03-07 20:39:01)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#12 2023-03-09 11:26:24

Vienuolis
Member
From: Vilnius, Lithuania
Registered: 2009-06-14
Posts: 307
Website GitHub GitLab Twitter

Re: Security Advice

Nice explanation, I am proud reading that and declaring <meta name=generator content="Hiawatha, Textpattern, Textile"> in all of my publications, thank you very much!

Offline

Board footer

Powered by FluxBB