Basic Security Practices
GrandCMS is not responsible for the securing your website, therefore it is up you to ensure your server's level of safety. The following suggestions aim to improve your GrandCMS site's security.
These additional steps can be taken immediately after GrandCMS is installed to your server; or whenever your site becomes active. See Installation for more information on how to install your GrandCMS site.
Delete the install folder
Deleting the install folder is advised by GrandCMS immediately after installation. GrandCMS will warn you in the administration if the install folder is not deleted.
Directory protection
Admin folder
The admin directory is where you have access to your site's administration. People with access to your site administration will have access your editing your information, user information, site settings, and more valuable information. Therefore, it is very important that the admin login be difficult to find and access.
Rename admin
Renaming the admin directory to something unrelated to the the admin is necessary to prevent unwanted eyes from discovering it's location. You can access your admin login through entering your site's location, then the path to the admin. For example, if the admin folder was changed to "mist", the admin login would be at "www.yoursite.com/mist".
.htaccess & .htpasswd
A .htaccess and .htpasswd file in the admin folder will prevent hackers from accessing your site, even if they discover the admin login location. Using .htaccess, you can deny all IP addresses from viewing your site, except the admin's IP address. A .htpasswd in the admin folder will require an additional password for the allowed administrator to access this directory.
Content
The content can be protected with the traditional .htaccess file. Using file match can be useful for protecting important file types for site, such as tpl and log, rather than all of them. The following code can be used for .htaccess in your catalog folder:
<FilesMatch "(?i)((\.tpl|\.ini|\.log|(?<!robots)\.txt))">
Order Deny,Allow
Deny from all
Allow from "your ip address"
</FilesMatch>
This will deny access to all template, ini, log, and txt files (except robots).
System folder
The system folder contains some files that need to be protected: logs/error.log, logs/ocmod.log and startup.php. The logs/error.log can be renamed if necessary.
.Htaccess
The .htaccess will work to protect these files and the subfolders of System from being accessed by anyone except the designated administrator. To do so, insert the code below into your .htaccess:
<Files *.*>
Order Deny,Allow
Deny from all
Allow from "your ip address"
</Files>
File permissions
The following files need to be set to 644 or 444 to prevent anyone else from writing to them:
- config.php
- index.php
- admin/config.php
- admin/index.php
- system/startup.php