Security Practice¶
Basic Security Practices¶
Phspark is not responsible for the securing your website, therefore it is up you to ensure your server’s level of safety. The following suggestions aim to improve your Phspark site’s security.
These additional steps can be taken immediately after Phspark is installed to your server; or whenever you site becomes active. See Installation [http://docs.phspark.com/en-gb/installation/] for more information on how to install your Phspark site.
Delete the install folder¶
Deleting the install folder is advised by Phspark immediately after installation. Phspark will warn you in the administration if the install folder is not deleted.
Directory protection¶
Backend folder¶
The backend directory is where you have access to your site’s administration. People with access to your site administration will have access your editing your user, customer information, settings, and more valuable information. Therefore, it is very important that the backend login be difficult to find and access.
Rename backend¶
Renaming the backend directory to something unrelated to the the backend is necessary to prevent unwanted eyes from discovering it’s location. You can access your backend login through entering your site’s location, then the path to the backend. For example, if the backend folder was changed to “cookiemonster”, the backend login would be at “www.yoursite.com/cookiemonster”. You will also need to update the backend/config.php file (or, in the example, the cookiemonster/config.php file), replacing instances of “backend” with the new name, e.g., “cookiemonster”. Note that doing this may make life more difficult down the line, such as if you decide to install vQmod.
.htaccess & .htpasswd¶
A .htaccess and .htpasswd file in the backend folder will prevent hackers from accessing your site, even if they discover the backend login location. Using .htaccess, you can deny all IP addresses from viewing your site, except the backend’s IP address. A .htpasswd in the backend folder will require an additional password for the allowed admindistrator to access this directory.
Frontend¶
The frontend can be protected with the traditional .htaccess file. Using file match can be useful for protecting important file types for your site, such as .php and .txt, rather than all of them. The following code can be used for .htaccess in your frontend folder:
<FilesMatch “.(php|twig|txt)$”> Order Deny,Allow Deny from all Allow from “your ip address” </FilesMatch>
This will deny access to all .twig, .php, and .txt files.
System folder¶
The system folder contains two files that need to be protected: logs/error.txt and start_up.php. The logs/error.txt can be renamed if necessary.
.htaccess¶
The .htaccess will work to protect these files and the subfolders of System from being accessed by anyone except the designated admindistrator. To do so, insert the code below into your .htaccess:
<Files .> Order Deny,Allow Deny from all Allow from “your ip address” </Files>
File permissions¶
The following files need to be set to 644 or 444 to prevent anyone else from writing to them:
config.php
index.php
backend/config.php
backend/index.php
system/startup.php