[[security]]
 
Trace: » joomla_importer » security
You are here: start » security
Table of Contents

Security

This documents addresses issues of securing your Vivvo installation more tightly than default installation does. It is recommended for everyone looking for an extra bit of security (who said “paranoid” ?!). Overall, out of the box Vivvo installation is pretty secure. But that doesn't mean you should ignore tightening up security even further.

Security Disclosures

If you find a security issue with Vivvo, please contact Vivvo staff in private first at support@vivvo.net email address.

Securing Vivvo's configuration

After installation make sure remove write permission to conf.php file and set it back to read-only (chmod 644 on *nix).

You can additionally secure configuration file (/conf.php in ROOT) by moving the actual configuration file outside the web root folder (one folder up). To do so, you need to copy the conf.php file outside web root (usually called 'public_html', or similar).

After that, on line 11 of your conf file you need change VIVVO_FS_ROOT and instead of: 

define('VIVVO_FS_ROOT', str_replace('\\', '/', realpath(dirname(__FILE__))) . "/");

place full path to your vivvo root folder: 

define('VIVVO_FS_ROOT', '/home/example/public_html/');

When you do, just edit the file that remained in ROOT to contain only this line: 

<?php
     require_once (dirname(__FILE__) . '/../conf.php');
?>

Note that public_html is your web root folder.

As a result, you will have conf.php file in the ROOT pointing to the actual configuration that is outside the web root and not accessible from outside. When you are done with editing conf.php file in ROOT you should change its permissions to 644, or if you are running on host that have suExec or suPHP module installed then you should set file permissions to 600.

Setting file permissions

If you are running on host that is configured to use suPHP or suExec than you can change file permissions for all files to 600, and all folders to 700. This way you are insured that nobody accept you can access this files.

But if you are running on host that don't have suPHP or suExec module installed you will have to set permissions so that user running apache web server can access and read that files, and in a case where is needed for web server to write files you will have to grant write privileges also.

Forcing HTTPS At Login

TODO

Setting Templates/Themes folders to read-only

If you choose not to use web interface for changing layout and look'n'feel of your website, you should change folder permissions so that modification of themes and templates is not possible using the web interface. To do this you should change permissions for /templates and /themes folders, including all sub-folders to 755, and all the files should have permissions 644.

Securing the install directory

The best way to secure the install directory from unauthorized access is to delete it immediately after installation. Alternatively, you can rename it to something else, but we still recommend deleting it.

Disable Debugging output

TODO

 
security.txt · Last modified: 2010/07/28 05:32 by micha
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki