Keep secure files of your Joomla
First, let's start with the disadvantages of moving configuration.php file outside of Joomla! the root. The first and most obvious problem is that if you have a website that has for the use of Joomla!’s FTP layer to write files on the server, you can not edit configuration.php file. I mean, you can change the settings in the Global Configuration, but nothing will be written, for Joomla! not be able to use FTP for file recording.
Worse still, in a Joomla! 1.5 sites that change configuration.php the file itself, use require ()to download the actual file is simply not possible using the Global Configuration. This can be disastrous if, for example, you want to urgently put your site in the off-line or if you change the settings, devices that do not have an FTP client, for example, your iPad is just 10 minutes before boarding your flight across the Atlantic.
Category: Web Development Viewing 2051 | Added in July 13, 2013
3 Responses
Anti-spam check:
Ok
Add comments:
Your name: | Your website | Some styles: | Add button: |
Your comments here: |
July 13, 2013
I have to admit back in my 'new to Joomla' days I followed those instructions and moved it. Fast forward a year when I decided to move to a new host and wasted hours trying to figure out why the site wouldn't work. Duh I moved the stupid config file. No doubt it causes far more problems than it's worth. After you get some experience and learn you realize the only thing it is good for is a false sense of security.
July 13, 2013
If someone gets access to the server somehow, having the config file outsite public_html is not going to save you. The "only" reason why you should have it outside is if the webserver stops serving dynamic pages (fails to load php) - and all php files are loaded as plain text. It has happened (after upgrades/maintenance of apache.) hopefully it was an SMF forum for private collaboration (so, no big trouble, nothing hacked but changed all passwords etc.).
July 13, 2013
So how does one know if a site is secure enough to prevent config being read?
What I have noticed is that sites with Joomla in root get robot signups, those with joomla in a subdirectory get far less problems with robots! Not quite the same thing.
Virtuemart also recommend putting a folder for invoices outside root but comments in their forum point out it puts server at risk so I keep all my VM site invoices inside root. But I have no idea if they are now readable by anyone.