Security questions - Printable Version +- GetSimple Support Forum (http://get-simple.info/forums) +-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3) +--- Forum: General Questions and Problems (http://get-simple.info/forums/forumdisplay.php?fid=16) +--- Thread: Security questions (/showthread.php?tid=3115) |
Security questions - rnuk - 2012-04-25 Hi all, I'm just getting started using GetSimple and I like it so far. I'm used to Joomla and a little Drupal, so I'm not a noob when it comes to CMS, but I do have some questions about increasing security. My joomla sites I host on a dedicated server where I can control security pretty well. However I want to host a couple of GetSimple sites on a shared hosting account I have where the host doesn't allow all features of .htaccess. The last time I used this shared hosting account to run a Joomla site, a few years ago, it was hacked in a month and turned into a porn portal. I certainly don't want that to happen again! So my question is how important is .htaccess in security of GetSimple? I see the root .htaccess blocks access to all xml files except sitemap. Can I simply change the permissions of the data directory to 750 (block all public) instead? I've tested this and GetSimple seems to still work fine. The website healthcheck throws up a lot of "0750 Not Writable" errors for the data directory, but in reality I can still edit and add pages. This is actually how I run my joomla sites as well - as long as the webserver unix user (www-data or apache) can access and edit files, there doesn't need to be public access for anything other than essential php files. Are there any other directories or files I should block access to in the same way? Or any other security tips from people using GetSimple in the wild? Is what I'm doing here a bad idea for any reason? Thanks very much! Security questions - ccagle8 - 2012-04-25 that should be an OK alternative. We aren't saying that our .htaccess solution is the only or best way, but it does work just fine. Security questions - rnuk - 2012-04-26 Good news, thanks! Security questions - Mark Nielsen - 2012-08-09 My server is set up so Apache/PHP runs with the permissions of the file owner. This means directories are created 0750 and files 0640. Get Simple's health-check warns that none of the directories are writeable - which isn't true. Permissions are 0750, and that is perfectly writeable for Get Simple, which other than the warnings works just fine. Is it possible for the health-check page to check permissions in a cleverer way? I.e. Checking that it can actually write something, rather than looking only at the permissions classes and making assumptions about how permissions are configured on the server? Security questions - shawn_a - 2012-08-09 I will be adding an actual write test to health check probably, but that to detect file system read only issues, not file permissions. I think health check is also checking 755, which as you say is overkill for write privs, I am not very familirar with perm bitmasks though. I also have some pretty strict htaccess entries for my uploads folder, like no code execution etc. RE: Security questions - cmscss - 2012-10-31 (2012-08-09, 22:41:01)shawn_a Wrote: I also have some pretty strict htaccess entries for my uploads folder, like no code execution etc. Could you please be more specific? If it's possible please paste the content here. (Even with sensitive data modified if you need so.) Thanks RE: Security questions - shawn_a - 2012-10-31 Not really but you can find some information here. http://journalxtra.com/websiteadvice/wordpress-security-hardening-htaccess-rules-4025/ http://stackoverflow.com/questions/5010205/how-to-protect-files-in-upload-folder-being-executed RE: Security questions - cmscss - 2012-10-31 (2012-10-31, 06:20:37)shawn_a Wrote: Not really but you can find some information here. Thanks, first link is interesting. |