Where to move Configuration file for safety?

[shoushan]

I have no desire to get hacked!

Where should I move my configuration file to. I understand that all these forums say outside the public_html folder but does that mean anywhere? anywhere? Is there a better location for it? And I think I have to rename it or something. Can someone give me a good explaination of how this works.

If I move this file and I need to edit it, how will the paths that use it know where it is. Do I change the permissions of this file?

Any advice would be helpful.

Yes I understand that there are lots of other security steps to take. I just want to take one confusing step at a time.

Cheers

[Garza1977]

Hello there,

Well, you can actually move your configuration.php file to anywhere you want, you can even put it on your own computer at home BUT, THAT WILL MAKE YOUR SITE USELESS!!

You NEED to leave the configuration.php file where it is, do not move it, do not rename it.
This file is required by Joomla 100% of the time.

[shoushan]

This is straight out of the Joomla Administrators Security Checklist. Have you read this? Is this the wrong thing to do? Now I'm really confused. Am I thinking about the wrong file?


Protect directories and files

Increase the security of the critical configuration.php file by moving it outside of the public_html directory.

Ensure that all configurable paths to writable or uploadable directories (document repositories, image galleries, caches) are outside of public_html. Check third party extensions such as DOCMan and Gallery2 for editable paths to writable directories. There is currently no easy way to move the Joomla! /image and /media directories. The best plan is to make sure open_basedir is properly set for all the user accounts on your server. Check with your host if unsure.

[wardy83]

Yes, Garza is wrong on this... I'm trying to figure it out myself.... found this but seems pretty old not sure if its for 1.5:


One challenge in Joomla! is ensuring that certain PHP files in public_html containing executable code or confidential data are protected from direct Internet access.

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as Gallery2 and Apache.org strongly recommend against keeping vulnerable files and confidential data inside public_html. The following method seems to be the simplest and most elegant way to protect read-only files that for whatever reason must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site.

Directions

1. Move configuration.php to a safe directory outside of public_html and rename it whatever you want. We use the name joomla.conf in this example.

2. Create a new configuration.php file containing only the following code:

Code: Select all
<?php
require( dirname( __FILE__ ) . '/../joomla.conf' );
?>



Do not include blank lines above the php start tag "". Such blank lines will trigger the infamous "headers already sent" error. e.g.:

Code: Select all
Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxx/public_html/configuration.php:2) in /home/xxxxx/public_html/index.php on line 250




3. Make sure this new configuration.php is not writable at all, so that it can not be overridden by com_config.

4. If you need to change configuration settings, do it manually in the relocated joomla.conf.

Note: Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file.

[Garza1977]

Interesting...

I guess I have miss some of the news!

[webdeva]

I moved my configuration file and can not remember where I put it! Can somoene give me some advice as to how I can find it?

[gayfor]

Refer to this page for instructions on moving sensitive files like configuration.php.

http://docs.joomla.org/Moving_sensitive ... e_web_root

[luis23045]

You don't need to move it anywhere else.

Just make sure that you changed to 444 and then if you want really seriously protect your Joomla Site buy this extension.

http://extensions.joomla.org/extensions ... tools/7032

All my Joomla Sites are protected by that tool and sites have never been hacked.

Yes I have been hacked in the past but after that tool it never happened again.

[mandville]

moderators note:
Moving the configuration.php from your root of your Joomla installation as described in the procedures below makes no sense at all if your website or server is insufficiently protected. Moving the file only prevents the viewing of the Joomla configuration file by the casual observer. It offers no protection if root access can be been gained to your domain in some fashion, nor does it prevent root access to your domain that is the result of security compromises in Joomla, from 3rd party extensions, or similar insecurities from access gained through badly configured/protected remote or local servers."


topic locked