Enhancing CMS Made Simple Security

S.M.B. · 27-01-2009 5:07pm #1

Forbairt advised starting my own thread and there seems to be quite a few CMS-MS users here.

So has anyone any suggestions on improving its security?

daymobrew · 27-01-2009 6:28pm

Check out the suggestions on the CMSMS wiki.

codecrunchers · 27-01-2009 8:43pm

have you put .htaccess files in /tmp /uploads and the root.
These are NB, especially dependent on your hosting co.
Also, if you can turn off write permissions, try restricted permissions.
Make sure you are using latest version.
Make /modules read only.
Remove any tags that give away CMSMS version signatures.....

codecrunchers · 27-01-2009 8:51pm

oh yeah,. rename /admin to something else and change the default username from admin to something different...

forbairt · 29-01-2009 11:14am

rename you admin folder (means updating your config file)

Dump a .htpasswd onto this as well

Restrict all logins to https (either get yourself a free cert or whatever it'll only be you using it)

Lock down all your permissions config.php .. tmp folders ...

Wait a few days before updating to the latest versions (bugs seem to creep into the initial releases) ... then make sure you're keeping up to date with the patches / plugins / modules

S.M.B. · 29-01-2009 6:08pm

Thanks for the replies folks,

have you put .htaccess files in /tmp /uploads and the root

I'm a bit new to .htaccess files. I've only used them before to block anyone outside a network from accessing pages.

What commands should I include in these files?

Make /modules read only.

This removed all module functionality of my site. I have to leave the folder as executable do I not?

Dump a .htpasswd onto this as well

Not sure what this involes too.

Lock down all your permissions config.php .. tmp folders ...

config.php is currently 644 while the tmp/new admin folders are 755. Should I change these?

S.M.B. · 29-01-2009 6:59pm

I somehow managed to delete my config.php file and now everythings in a mess.

forbairt · 29-01-2009 8:10pm

not being able to access it does make it pretty secure

Lesson .. play with local version / backup files / backup database

S.M.B. · 29-01-2009 8:17pm

new config.php file up and running

backing everything up as i post this

lesson learned

:pac:

forbairt · 29-01-2009 8:19pm

S.M.B. wrote: »

new config.php file up and running

backing everything up as i post this

lesson learned

:pac:

we've all been there at some stage

though just the config file going missing isn't the end of the world

(Also depending on who you're hosting with it may be possible to get it back from their backups if they offer them)

S.M.B. · 29-01-2009 8:38pm

I tried manually changing a config file from another site but was having no luck. I ended up just re-installing everything.

Turns out all I had left out the first time was the database prefix.

:rolleyes:

codecrunchers · 30-01-2009 12:30pm

Hi,
Sorry to hear you had so much trouble. Most of the info you need is available at the link
daymobrew provided in his first mail.

If you're new to this stuff then you should definetely look at having a staging server or even a sub-domain e.g. demo.mysite.com with a copy of the live site, make all your changes there and only copy across when you know it's working. The sub domain approach (on the same hosting server) will guarantee that you are using teh same hardware/software and may save you running into some tricky problems.

Enhancing CMS Made Simple Security

Comments