Moving sensitive files outside the web root
From Joomla! Documentation
Revision as of 17:40, 20 October 2010 by Phild (talk | contribs) (→Directions: Rewrote article to properly reflect this core modification. Permission given by jacksun to use info provided by him.)
This article is tagged because it NEEDS REVIEW. You can help the Joomla! Documentation Wiki by contributing to it.
More pages that need help similar to this one are here. NOTE-If you feel the need is satistified, please remove this notice.
while under review, please see this forum topic[edit]
One challenge in Joomla! is ensuring that certain PHP files in public_html (or otherwise known as httpdocs or www depending on your server setup) containing executable code or confidential data are protected from direct Internet access.
There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as Gallery2 and Apache.org strongly recommend against keeping vulnerable files and confidential data inside public_html.
The following method seems to be the simplest and most elegant way to protect read-only files that, for whatever reason, must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site. Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file.
Directions[edit]
WARNING: Do not attempt this procedure unless you understand what you are doing and are willing to possibly break your site while testing. This is not for beginners or inexperienced persons, ensure you have a back up of your site and also of the files you will be modifying before attempting this modification.
1. Create a directory in your domain outside of your public_html directory. You can name it anything you want but it should reflect the site name in some way. We used the name design2-files for the directory name in this example.
Note: If you have multiple Joomla installs then each Joomla install you have should have its own directory outside of public_html to contain its configuration.php file.
2) Place a copy of your current configuration.php file, completely unaltered and NOT renamed into this directory. I have permissions set at 644 on the file in this directory and the directory set to 755 permissions.
3. If your Joomla site is installed in the root of the public_html directory and not in a subdirectory under public_html, then create a new configuration.php file for your joomla install in the public_html directory containing only the following code:
1) Create a directory immediately above your public web directory (which is often public_html). I'll call this directory "configuration" all lower case, quotes aren't part of the directory name.
2) Go to the root/includes/ directory in your Joomla install and open the file defines.php in your favorite editor
3) Around line 26 you will see this:
define('JPATH_CONFIGURATION',JPATH_ROOT);
Replace it with this:
define('JPATH_CONFIGURATION',JPATH_ROOT.DS.'/../design2-files');
If Joomla has been installed in a subdirectory under public_html ( public_html/subdirectory/ ) then replace it with this
('JPATH_CONFIGURATION',JPATH_ROOT.DS.'../../'.DS.'design2-files');
4) Repeat these exact same steps with the same file (defines.php) that is located in the root/administrator/includes/ directory. If you don't do this access to your admin area will be prevented.
5) Go to the root of your installation and rename the configuration.php file to something like somefile.html or whatever while testing the modifications.
6) Using a browser, go to your website and test as many pages as you can to make certain it is working correctly.
7) Delete the old renamed configuration.php file from the root of your Joomla installation
8) Retest your website thoroughly to make sure everything works correctly.
9) Make sure you add the new directory (design2-files) with the configuration.php file in it to your backup job so it doesn't get missed.
10) You can access and modify the Joomla configuration as you would normally from the Joomla administration area. This access will not create a new configuration.php file, but will modify the moved configuration.php file.
NOTE:
The above procedure modifies core files in a Joomla install. Later Joomla upgrades, updates, re-installs etc. may remove these core modifications. Modifying core files may make the Joomla install incompatible with certain extensions.
Contributors & Editing[edit]
Editing and saving/applying[edit]
Warning!! Do not use the Joomla web administrator interface global configuration button to edit the global configuration.
If you need to change configuration settings, do so manually by downloading the relocated joomla.conf file, making the needed edits and uploading it back.
Making edits to the global configuration in the Joomla web administration interface will overwrite the 3 line configuration.php file pointing to the real configuration file with the real configuration.php file contents upon saving or applying the edits. This will undo your efforts to move and protect the configuration.php file by placing it in a directory outside of public_html.