Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2005-12-28 01:44:57
- crystaldragon
- New Member
- Registered: 2005-12-26
- Posts: 4
[wiki] Possible error on page re Renaming Admin directory for added security
I am a new user of Textpatterm, faithfully learning all I can about maximising the security of the new blog/site I will soon create. I have tried to follow the instructions listed at
http://textpattern.net/wiki/index.php?title=Renaming_the_Textpattern_Admin_Directory_for_Added_Security
but ran into a couple of problems:
1. The css.php file referred to as being in root directory does not exist in the current Textpatter version I’ve installed. The css.php file that does exist in the /textpattern/ directory does not have the textpattern folder name requiring replacement (as indicated in the instructions).
2. After implementing all the other changes described, my instance of Textpattern on my ISP server no longer functioned (I can copy the error message to you here if that would be helpful).
Is anyone else aware of these problems?
Many thanks!
P.S. My ISP does not allow the Global Register OFf change to .htaccess file. Nor does it allow password protected directories. What other security related measures should I / could I be taking?
Offline
Re: [wiki] Possible error on page re Renaming Admin directory for added security
Hi crystaldragon,
Welcome to TxP.
Let me offer a couple of things to chew on about that article and maybe someone else can fill in the gaps or correct me. Renaming the textpattern directory probably does very little towards creating a whole lot of site security, and I’ll wager that 95% (or more) of Textpattern’s users, even the developer’s themselves, don’t rename that directory. Furthermore, that process is an unsupported hack, not only to the code, but as you can see it’s not supported in TextBook either. Why? Because someone took it upon themself to add that article to TextBook, even though it was probably not a very popular (needed) topic; hence, nobody bothers to support the article, not even the original author, apparently. Personally, I don’t feel that article belongs in TextBook, and now that you’ve brought it to my attention, I’ll probably remove it. That article belongs in somebody’s Weblog somewhere (perhaps the original authors’).
- The above probably answered your first issue, but let me add one more thing: Textpattern developers continuously work to make Textpattern secure. You don’t need to go out of your way with hacks to do it on your own; in fact, the developers would probably warn you that you should not, because usually external code and advice works against their good efforts. Stick with the system code as much as possible, and your life will be much easier. Plus you’re likely to get more help when your code actually reflects Textpattern’s real mode of operation. For example, the Diagnostics feature in the admin interface is very important for helping people troubleshoot problems, but if you cripple that feature (and I don’t know if this will or not, but it certainly can’t help) then you make it harder (thus less likely) to get good, quick, help.
- If you want to continue to pursue this hack, I personally can’t help you with it, and I’m inclined to think this is not the write forum for it either.
I would recommend you forget about that article completely, and all it has to say. Just install and setup Textpattern like the installation instructions say to do. As for your Web host, maybe you need a new one.
To Everyone Else: Who actually changes the name of their textpattern directory? If this isn’t a popular — or even sensible — topic, I’m taking it out of TextBook. We can’t have users getting confused about crappy documentation. That’s not what documentation is for.
Also, I would recommend that if you have a problem with documentation in TextBook, and you have a wiki account, then your first move is to follow this practice of bringing it to the attention of editors. If the issue is one like this, where the topic may not be relevant for TextBook any longer, then we can open it up here for broader discussion.
Offline
Re: [wiki] Possible error on page re Renaming Admin directory for added security
The biggest and most important thing regarding security: Keeping up with the updates of Textpattern. You can subscribe to the announcement mailing list, or to the weblog RSS-Feed. And once a new maintenance-release is out, you should update as soon as possible.
Offline
Re: [wiki] Possible error on page re Renaming Admin directory for added security
That is direct from a developer himself, crystaldragon, and he basically confirmed everything I said. Hence, consider that article gone (and don’t pursue that hack).
Thanks for the feedback, Sencer.
Offline
Re: [wiki] Possible error on page re Renaming Admin directory for added security
Ah, I had the window open for so long, I didn’t even see your response, Destry. :)
I don’t rename the directory, it’s not renamed on the main install in textpattern.
Currently the dynamic css-files always link to the textpattern directory as well. So if you wanted the renaming to have any benefit at all, you’d also need to stop using built-in css-editor and go with external css files.
While I won’t categorically rule out any benefit of doing that, the drawbacks outweight the benefits IMHO. We have tried to ensure that no harm can be done by other people having access to that directory.
Offline
#6 2005-12-29 00:04:53
- crystaldragon
- New Member
- Registered: 2005-12-26
- Posts: 4
Re: [wiki] Possible error on page re Renaming Admin directory for added security
Dear all,
Many thanks for your thorough and prompt replies! Clearly whoever has authored that part of the Textbook is giving bad advice! Anyway, I will proceed with the unadulterated install of Textpattern, which otherwise has worked nicely. And I will update regularly with the newest versions, as you suggest.
As for my ISP, well, yes I am beginning to realise that they aren’t totally up to scratch.
Thanks again! and happy new year.
Offline
Re: [wiki] Possible error on page re Renaming Admin directory for added security
(referencing from here)
@ David,
Sorry, no offense about the article (I couldn’t remember who wrote it), and maybe I’m a bit hasty, but here’s how it looks to me:
- That hack probably isn’t all that popular, and as Sencer pointed out, the efforts are likely not worth the returns.
- Textpattern has undergone a few changes since that article was written, and the article itself is not reflective of those changes, causing people like crystaldragon problems that other people have to address because of the state of the article.
- Another point of Sencers is that using that technique now, as TxP is, forces a site owner to use linked styles. Though this is not bad, naturally, it’s not what Textpattern’s core is intended to do.
In reflection of all that, I have to wonder if the article is what we really want to be saying in TextBook, since TextBook is the “authoritative” source and all (next to the FAQ).
Now, I may have been a bit quick to remove it, and I can certainly restore it if you simply wanted to get the text for your own use (Weblog, maybe?), but unless someone pipes in with convincing thoughts contrary to those already brought to light with respect to practical value, well…
I’m not trying to play iron glove here, just trying to improve the information, and sometimes that means weeding things out.
A practice that is loosely getting tread for TextBook, for example, and which probably should have been made clear from the beginning, is to propose an article for addition (unless you’re one of the four TxP developers), and let the community discuss it a bit for soundness, rather than adding any ol’ thing off the cuff. In any case, let’s consider this article back on the podium for discussion. I’ll be the first to say I don’t always make the right decisions, even when I try. ;)
EDIT: Oh, one more thing. You originally named your page with all lower case words. That’s another thing we don’t do in TextBook. It takes effort to write reasonably well and be tidy about it, I know, but there’s a reason we need to do it.
I’ve restored the page in the wiki Renaming Textpattern Admin Directory for Added Security (which I retitled, by the way), but I’m not linking it up in the main page until it’s proven it should be there.
Offline
Re: [wiki] Possible error on page re Renaming Admin directory for added security
@ Destry
Your response does appear a little officious to me. That doesn’t make me inclined to contribute to the wiki – concerns about editorial control / style of the wiki has been discussed elsewhere, at length … so I’ll just add my voice of concern to the list. I’m quite capable of writing “reasonably well and be tidy about it” – if I’m missing some subtlety of Textbook contribution, I just need it pointed out, thanks.
“… nobody bothers to support the article, not even the original author, apparently”. Although that ignores the whole concept of a community wiki, I’d have been happy to update if necessary or requested.
With regard this ‘hack’, it does provide an extra level of security (if used with external CSS) – if they can’t find your admin login page, they can’t attempt a login. I choose secure passwords, but many users insist on using their wife / dog / football team. That’s part of my motivation in providing a non-standard login location.
I can understand why this article should not be contained in the flow of ‘recommened’ use, but I think it could be found a home on the wiki somewhere, with suitable disclaimers.
P.S. Happy New Year everyone! :)
David @ 1 Cog
“Follow the shoe!” … “No, follow the gourd!”
Offline
Re: [wiki] Possible error on page re Renaming Admin directory for added security
Unfortunately, this is the potential position one gets in when trying to coordinate anything, like TextBook for example. No matter what you do, or what recommendations you make, there is always going to be some opinions to the contrary. Some people want less guideline control, others need more. Damned if you do, damned if you don’t. That’s the way it goes.
What I would suggest, if you don’t think it’s too “officious”, is provide some more information in that article so it’s more robustly clear that it’s not standard practice, and also add (for the readers benefit and understanding) some of the good reasons (already pointed out) why someone might NOT want to use it. I’m sure crystaldragon was simply thinking that is was what one was supposed to do, when in fact that is not really the case, and combined with the fact the info was outdated, she was quite confused when it didn’t work with here version release.
Sorry if I hurt your feelings. I appreciate your contributions, and admittedly, I don’t always play patty cake well. All contributions to TextBook are good and welcome, but they can be good ones or bad ones, and even good ones don’t stay good over time, you have to keep them up. If it’s a topic of popular subject matter, that article will likely get edited by more people more easily, and the initial author doesn’t have to worry about too much, but if it’s an oddball topic like this, it tends to go south more easily (becoming obsolete) and so the original writer has to be a little more diligent about things. Basic content upkeep and evolution, that’s all it is.
EDIT…to Everyone: Yes, many rants have been made about TextBook’s “editing” layer. I try and take them serious, and do something about it, but it takes other people too. TextBook isn’t a graphiti wall; a wiki, like any body of documentation, needs editing control, if anyone thinks it doesn’t, they’re seriously confused. In any case, if you have thoughts about recommendations, guidelines, standard practice, whatever…give it here.
EDIT2: The article in question is now added back…still outdated, but it now has enough collaborative markers to show it needs revised.
Offline
Re: [wiki] Possible error on page re Renaming Admin directory for added security
Destry
First, an apology – the tone of my post was aggressive without that being my intention. I was running out of the house at the time, so rushed it. Sorry.
“Damned if you do …”. Absolutely. I admire your courage for taking the job on!
I’ll update the article for 4.0.3 shortly.
David @ 1 Cog
“Follow the shoe!” … “No, follow the gourd!”
Offline
Re: [wiki] Possible error on page re Renaming Admin directory for added security
David_1cog, et al, I did a similar thing with TxP 4.0.3 and I’ve posted my notes below. I don’t have a Wiki account, but feel free to use this to update your existing page. My reason for the change was more one of aesthetics than security, but whatever floats your boat.
<hr>
Renaming the Textpattern ‘Admin’ Directory
Overview
This is a modification to Textpattern’s core files with the objective of renaming the /textpattern/ directory.
‘The Process’ below gives an example for renaming the folder to ‘admin’.
Important Considerations
Although doing this may suit your needs, it is not in the normal flow of Textpattern upkeep. I.e., this is a modification you’ll have to continually maintain on your own.
These notes are for version 4.0.3 of TextPattern. Expect them to be different for newer versions.
The Process
1. Extract Textpattern .zip file to local folder (eg. c:\tp)
2. Rename ‘c:\tp\textpattern’ folder to ‘c:\tp\admin’
3. Edit c:\tp\index.php
a. Change line 19 to be: <code>include ‘./admin/config.php’; </code>
4. Edit c:\tp\admin\include\txp_admin.php
a. Change line 168 to be: <code>gTxt(‘log_in_at’).’ ‘.hu.‘admin/index.php’;</code>
b. Change line 183 to be: <code>gTxt(‘log_in_at’).’ ‘.hu.‘admin/index.php’; </code>
5. Edit c:\tp\admin\include\txp_tag.php
a. Change line 7 to be: <code><link rel=“stylesheet” href=”/admin/textpattern.css” type=“text/css” /></code>
6. Edit c:\tp\admin\publish\taghandlers.php
a. Change line 37 to be: <code>if ($n) return hu.‘admin/css.php?n=’.$n;</code>
b. Change line 38 to be: <code>return hu.‘admin/css.php?s=’.$s;</code>
7. Edit c:\tp\admin\publish\comment.php
a. Change line 492 to be: <code>$out .= hu.‘admin/?event=discuss&step=discuss_edit&discussid=’.$discussid.”\r\n”;</code>
Note: Below are all the files in which the /textpattern/ filepath is mentioned. Only the ones mentioned above are strictly in need of changing.
C:\Inetpub\wwwroot\tp\textpattern\setup\index.php – 8 occurrences (including header comment)
C:\Inetpub\wwwroot\tp\textpattern\setup\en-gb.php – 4 occurrences
C:\Inetpub\wwwroot\tp\textpattern\include\txp_admin.php – 3 occurrences
C:\Inetpub\wwwroot\tp\textpattern\include\txp_prefs.php – 3 occurrences
C:\Inetpub\wwwroot\tp\textpattern\publish\taghandlers.php – 3 occurrences
C:\Inetpub\wwwroot\tp\textpattern\setup\txpsql.php – 3 occurrences
C:\Inetpub\wwwroot\tp\index.php – 2 occurrences
C:\Inetpub\wwwroot\tp\textpattern\include\txp_tag.php – 2 occurrences
C:\Inetpub\wwwroot\tp\textpattern\publish\comment.php – 2 occurrences
C:\Inetpub\wwwroot\tp\textpattern\update\_to_4.0.2.php – 2 occurrences
<hr>
Dave
—————
Dave-H
Offline
Re: [wiki] Possible error on page re Renaming Admin directory for added security
Thanks, Dave.
I’ve updated wiki – http://textpattern.net/wiki/index.php?title=Renaming_the_Textpattern_Admin_Directory_for_Added_Security. Let me know if anything amiss.
David @ 1 Cog
“Follow the shoe!” … “No, follow the gourd!”
Offline