Security Guide
Permalink
Are there any available specific security guides/best practices for locking down Concrete5 CMS? I noticed a few for wordpress including some suggestions in the software itself, but we are inheriting a partner site built upon Concrete5 and need to verify security of the CMS aspects of the site.
Which version are you using?
5.6
C5 is already a pretty secure CMS but there are a few things you can do to avoid trouble.
- Uninstall and remove from your server any packages you are not really using
- Make sure the site is connected to the community so you get updates when (if) they come out for both the core and packages
- remove all user accounts that are not in use (leftover accounts from previous managers for instance)
- Look for HTML5 boilerplate in Github and implement everything from their .htaccess file that improves security (stuff for stopping the server from giving away too much information for instance)
- If not already done, modify your header to not show C5 version number
- if C5 is loaded from the updates folder, modify the folder's name to not give away the version number and modify the config/updates.php file to reflect the change
- Check your chmod values to make sure your files are not accessible to everybody
- have a SSL certificate and switch to https
- Uninstall and remove from your server any packages you are not really using
- Make sure the site is connected to the community so you get updates when (if) they come out for both the core and packages
- remove all user accounts that are not in use (leftover accounts from previous managers for instance)
- Look for HTML5 boilerplate in Github and implement everything from their .htaccess file that improves security (stuff for stopping the server from giving away too much information for instance)
- If not already done, modify your header to not show C5 version number
- if C5 is loaded from the updates folder, modify the folder's name to not give away the version number and modify the config/updates.php file to reflect the change
- Check your chmod values to make sure your files are not accessible to everybody
- have a SSL certificate and switch to https
>- Check your chmod values to make sure your files are not accessible to everybody
how can this be done? Can you provide some pointers how to check this, and what chmod value would represent everyone access to the files?
Is there a default chmod value, and by default is that everyone access to the files if they knew the path?
how can this be done? Can you provide some pointers how to check this, and what chmod value would represent everyone access to the files?
Is there a default chmod value, and by default is that everyone access to the files if they knew the path?
chmod values are number such as 755 or 644. Each corresponds to a particular way of setting permissions on files and folders on your server.
You can do that from your host's file manager, usually accessible through cPanel. You will have an option to set permissions.
You can also do that from an FTP client that you would use to access your files and folders on the server.
The values you should use are explained here:https://documentation.concrete5.org/developers/installation/installa...
Most (good) hosts will have a tutorial on their website explaining how to do this kind of thing using their interface.
You can do that from your host's file manager, usually accessible through cPanel. You will have an option to set permissions.
You can also do that from an FTP client that you would use to access your files and folders on the server.
The values you should use are explained here:https://documentation.concrete5.org/developers/installation/installa...
Most (good) hosts will have a tutorial on their website explaining how to do this kind of thing using their interface.