Moving sensitive files outside the web root

From Joomla! Documentation

Revision as of 11:40, 15 July 2012 by Mvangeest (talk | contribs) (The 1.6+ method is not a core hack)
Stop hand nuvola.svg.png
Warning!

Moving the configuration.php from your root of your Joomla installation as described in the procedures below makes no sense at all if your website or server is insufficiently protected. Moving the file only prevents the viewing of the Joomla configuration file by the casual observer. It offers no protection if root access can be been gained to your domain in some fashion, nor does it prevent root access to your domain that is the result of security compromises in Joomla, from 3rd party extensions, or similar insecurities from access gained through badly configured/protected remote or local servers."


One challenge in Joomla! is ensuring that certain PHP files in public_html (or otherwise known as httpdocs or www depending on your server setup) containing executable code or confidential data are protected from direct Internet access.

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as Gallery2 and Apache.org strongly recommend against keeping vulnerable files and confidential data inside public_html.

The following method is one way to protect the Joomla configuration.php, perhaps the most confidential file of any Joomla! site.

Using the following method, the Joomla configuration.php file does not reside in the public_html directory but resides instead outside of (or above) the public_html directory and is much better protected from the internet access.

WARNING before continuing[edit]

WARNING: Do not attempt this procedure unless you understand what you are doing and are willing to possibly break your site while testing. This is not for beginners or inexperienced persons, ensure you have a back up of your site and also of the files you will be modifying before attempting this modification.

Joomla 1.6, 1.7 and newer Joomla 1.6Joomla 1.7[edit]

Overriding defines.php[edit]

Starting with version 1.6, it is possible to provide a localized version of the files that reside in includes/defines.php (i.e. includes/defines.php and administrator/includes/defines.php). This makes it possible to move a variety of files outside of document root.

The actual process is quite simple, but it is advisable that you make sure you know what you're doing before proceeding.

To start, copy the file {ROOT}/includes/defines.php to {ROOT}/defines.php and the file {ROOT}/administrator/includes/defines.php to {ROOT}/administrator/defines.php.

Once you have copied the files, it is necessary to edit both new files and add the lines:

define('_JDEFINES', 1);

define('JPATH_BASE', dirname(__FILE__));

underneath the defined('_JEXEC') or die; line.

Setting the path to configuration.php[edit]

Now that you have created override files, you can edit them and provide new locations for various directories. The directory we're interested in is JPATH_CONFIGURATION. The default value is defined as: define('JPATH_CONFIGURATION', JPATH_ROOT);

To put the configuration file in another location, move the file to its new home and specify the new path. As an example, if your files were in /home/exampleuser/public_html and you wanted to put configuration.php in /home/exampleuser/configuration.php, you would change the JPATH_CONFIGURATION define line to:

define('JPATH_CONFIGURATION', '/home/exampleuser');

Make this change in both files, move the configuration.php file and you're done.

Other Possibilities[edit]

The configuration.php file isn't the only thing you can move. I have done some amount of testing and was able to successfully move the JPATH_LIBRARIES directory, the JPATH_PLUGINS directory, the JPATH_MANIFESTS directory (which holds the XML manifests for some extensions and for core updates), you can also try moving other folders for which Constants have been defined.

Joomla 1.5 Joomla 1.5[edit]

NOTE: The procedure below modifies core files in a Joomla install. Later Joomla upgrades, updates, re-installs etc. may remove these core modifications. Modifying core files may make the Joomla install incompatible with certain extensions.

Stop hand nuvola.svg.png
Warning!

This is a core hack. Files you change as described on this page will be overwritten during updates of Joomla!. For more information, see Core hack.

1. Create a directory in your domain outside of your public_html directory. You can name it anything you want but it should reflect the site name in some way. We used the name design2-files for the directory name in this example. Note: If you have multiple Joomla installs then each Joomla install you have should have its own directory outside of public_html to contain its configuration.php file.

2) Place a copy of your current configuration.php file, completely unaltered and NOT renamed into this directory. I have permissions set at 644 on the file in this directory and the directory set to 755 permissions. Permissions of 444 on the configuration.php file are also acceptable if that is the current permissions of your configuration.php file.

3) Go to the root/includes/ directory in your Joomla install, backup the file defines.php.

4) Now open the file defines.php in your favorite editor

5) Around line 26 you will see this:

define('JPATH_CONFIGURATION',JPATH_ROOT);

Replace it with this:

define('JPATH_CONFIGURATION',JPATH_ROOT.DS.'../design2-files');

If Joomla has been installed in a subdirectory under public_html ( public_html/subdirectory/ ) then replace it with this

define('JPATH_CONFIGURATION',JPATH_ROOT.DS.'../../'.DS.'design2-files');

NOTE: The /design2-files is our example subdirectory. Replace this with the name of your subdirectory.

6) Repeat these exact same steps with the defines.php file that is located in the root/administrator/includes/ directory. If you don't do this access to your admin area will be prevented.

7) Go to the root of your installation and rename the configuration.php file to something like somefile.html while testing the modifications.

8) Using a browser, go to your website and test as many pages as you can to make certain it is working correctly.

9) When you are satisfied everything is working properly, delete the old renamed configuration.php file from the root of your Joomla installation.

10) Retest your website thoroughly to make sure everything is still working correctly.

11) Make sure you add the new directory (design2-files in our example) with the configuration.php file in it to your backup job so it doesn't get missed.

12) You can access and modify the Joomla configuration as you would normally from the Joomla administration area. This access will not create a new configuration.php file, but will modify the moved configuration.php file.