My problem is that if I type my domain without any slashes, it shows the complete folder and file structure, so we can say it is not really secure. I've managed to encrypt the folders, but not the main domain. In the cPanel I dont't find where can I make it secure, and invisible. Please don't devalue me for this question, I'm new.
If you want to prevent users from viewing the directory listing, you should select the no indexing option in cpanel. See this link for more information: http://www.inmotionhosting.com/support/edu/cpanel/remove-index-listing.
You can also password protect your domain using .htaccess and .htpasswd
Related
Update:
Since this question was asked Joomla StackExchange has been setup and the same questions exists there please add any answers or comments to that question
Original:
I am using Joomla 3.0.3 for a fairly big new client, security is a must. I therefore decided to try change the Administrator URL, normally
example.com/administrator
changed to
example.com/newadminurl
Reason being if the folders aren't where potential hackers expect that is the first hurdle before they can even try anything else.
However that has now meant whenever I go to the new URL it brings up a 403 error. I have tried searching if there is a global config setting I need to change but can't find anything on the web or Joomla site. Anyone know how to change this deep down in the source code?
Step 1. Create a new directory in your root directory (eg. "newadminurl")
Step 2. Create an index.php file in your "newadminurl " directory..
$admin_cookie_code="3429020892";
setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
header("Location: /administrator/index.php");
?>
Step 3. Add this to .htaccess of your real Joomla administrator directory
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/administrator
RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=3429020892
RewriteRule .* - [L,F]
Explanation:
Now, you need to open "http://yoursite.com/newadminurl/" before you open your “administrator” path. Here we have created a cookie that expires at the end of the session and redirect to actual administration page. Your actual “administrator”path is inaccessible until you don’t open on your secret link .
I hope this is what you were looking for.
While there are hacks around that do this, they introduce new security issues as the Joomla! core isn't built to work this way.
In fact the it is common practice both in the core and in 3rd Party extensions and templates to load models, controllers and other assets from /administrator.
The best practise is to secure your site is:
Keep your Joomla! installation up-to-date (the most common cause is outdated installs)
Don't hack core files, if you need extra functionality duplicate the core component and extend that, not the core.
Add a realm password /administrator
A secret word on the /administrator url e.g. /administrator/?s3cr3tpa55w0rd
An ip whitelist that only allows on select IP addresses to access /administrator
Use unique and strong passwords
Don't share passwords even with your significant other...
Enact a password policy on your site.
Keep a tested and regular site backup in an off-server storage location.
Run a file scanner to help you detect a hack so that you're aware of where your last good back was taken.
You can find extensions that do one or several of these things for you in the Access & Security section of the Joomla! Extension Directory (JED), and for integrated backup to cloud or other storage you can't go past Akeeba Backup (and personally for the tiny fee compared to the cost of my time we always go with the Pro versions).
In fact Akeeba's Admin Tools Pro (included in any of their subscriptions) also provides most of the features on that list through it's WAF (web application firewall). The only area not covered is Password Management of which there are several solutions available.
There might be all sorts of dependencies in the core and in third party extension that will hard code the admin path, even though there are platform variables to assist this.
I would recommend that you instead configure your .htaccess to prevent public viewing of your administrator folder and restrict access only to approved IP addresses. This will prevent them from accessing the admin folders, but of course will not protect against attacks which do not require direct access (e.g., some third party app that calls code in an admin folder for the component from the front end).
Note: This goes in the .htaccess file in your administrator folder not the .htaccess in the site root, i.e. [siteroot]/administrator/.htaccess
Here is an example of the .htaccess you may configure:
ErrorDocument 403 http://www.your-ip-is-not-allowed-to-access-this-section.com
Order deny,allow
Deny from all
Allow from X.X.X.X
Where X.X.X.X. if the IP address you want to allow to the admin section. You can specify multiple addresses with multiple Allow from X.X.X.X lines.
I need to upload to my server a high sensitive data file to be used by PHP scripts. Please, tell me what's the most secure way and why:
Putting it in a folder not under www root
Putting it under www root but denying access with .htaccess rule
Thank you very much
If you have ftp/sftp/ssh access to this server, there's no reason not to put it outside of the www document root. If you have a hosting service that only grants you access to the www document root, then you'll have to go with the second solution, but the first is much more secure.
Htaccess can be bypassed if there is a vulnerable script on your site. There are tools that, if placed correctly, files inside the document root and be uploaded by a remote attacker or even replaced. For example, there are php "remote file managers" that allows a remote attacker to change permissions, edit, or replace existing files, including your htaccess file. If you're running a site like Wordpress, or some other CMS, that aren't exactly super secure by themselves, that have a lot of third party plugins, those plugins could be vulnerable to attacks, and if you happen to be using one, your htaccess file's access restrictions could be bypassed.
When the sensitive information is outside of the document root, an attacker who has access to the document root won't be able to access these files and vulnerabilities in your scripts are a lot less likely to affect access to these files. There most likely needs to be a system level exploit to be able to gain access to files outside of the docuement root.
I have yet another .htaccess question, simple for you, not so much for me.
Let's say my main site is found at http://domain.com. I do all of my pre-release testing at sandbox.domain.com and sandbox.domain.co. I just realized that Google has gone ahead and indexed my sandbox sites... Ugggh!
The document root folder on my Apache server with the live site is always called ALIVE, and in order to make my sandbox contents live I quickly rename the folders, ie ALIVE->OLDx, SANDBOX->ALIVE.
My goal is to prevent indexers and users from accessing my sandbox pages. I am trying to design a .htaccess file for document root that only allows my ip address when accessed from a sandbox subdomain (sandbox.domain.com), otherwise it allows everyone when accessed from the main domain (domain.com). This would eliminate the process of remembering to update the .htaccess file each time I release a new site.
This doesn't seem too difficult, but I haven't been able to find the right combination. Any pointers in the right direction will be much appreciated!
Create a .htaccess inside each folder (like sandbox):
order deny,allow
deny from all
allow from YOUR IP HERE
I have a folder that contains log files. They're not super critical, but I don't want total strangers looking through them. I'd like to put a password on that one folder. The folder and its contents are served straight up from IIS, so I'm not looking for a coding solution.
With Apache I'd use a .htaccess file.
With IIS it's possible to use multiple Web.config files at various levels to control this kind of thing.
So, what goes in the Web.config file that allows me to require a password when accessing this folder?
I'm happy for the password to pop up in a dialog like old-school websites used to do (not sure what this is called -- I think it is digest authentication) and so avoid any loginUrl redirection stuff
I'm happy to put the password in the Web.config file in plain text if it's easier
The application is internet facing and running on shared hosting, so I don't have much control over the box beyond what I can configure in Web.config.
You can achieve this using the <location path="..."/> element of web.config file.
Check this link for step-by-step instructions..
Here is my problem. I have one page www.example.com which I don't want to be publicly accessible, so I want to have it behind some kind login.
The problem is that I also have www.example.com/api which I need to be publicly accessible.
Do you have any ideas how to achieve this?
Best regards,
Mladjo
.htaccess (or the <DIRECTORY> directive) applies to the directory you put it in (.htaccess) or the directory you specify (<DIRECTORY> directive), and all sub-directories below that one. If you have a specific file that you wish to control access on, put it in its own directory one level deeper than your web-root directory, and apply your access restriction to that path and its subdirs only.