The Joomla! Forum ™

Ok, many may not agree with me as this involves editing 2 core files, but I prefer the protection it gives versus the redirect and it allows me to continue to make changes to the configuration.php file through my normal Joomla interface.

WARNING: Do not attempt this procedure unless you understand what you are doing and are willing to possibly break your site while testing. This is not for beginners or inexperienced persons, ensure you have a back up of your site before attempting.

1) Create a directory immediately above your public web directory (which is often public_html). I'll call this directory "configuration" all lower case, quotes aren't part of the directory name.
2) Place a copy of your current configuration.php file, completely unaltered and NOT renamed into this directory. I have permissions set at 644 on the file in this directory.
3) Go to the /includes directory in the root of your Joomla install and backup the file defines.php
4) Go to the /includes directory in the root of your Joomla install and open the file defines.php in your favorite editor
5) Around line 26 you will see this:

6) Replace it with this
where the second bolded lower case word "configuration" is the CaSE sENsITiVE name of the directory you created in step 1. DO NOT remove spaces, periods, or anything else from this line or it won't work! Also, make certain there are no extra spaces after the last semi colon on the line.
6) Save and upload the file.
7) Repeat these exact same steps with the exact same file (defines.php) that is located in the rootofyourjoomlainstall/administrator/includes/ directory. If you don't do this access to your admin area will be prevented
8 ) Go to the root of your installation and rename the configuration.php file to something like somefile.html or whatever.
9) Go to your website and test as many pages as you can to make certain it is working.
10) Delete the old renamed configuration.php file from the root of your Joomla installation
11) Retest your website thoroughly
11) Make sure you add the new directory with the configuration.php file in it to your backup job so it doesn't get missed.

P.S. If you go more than the level immediately above your web root you need to add slashes and dots like:
or something similar.

WARNING: Do not attempt this procedure unless you understand what you are doing and are willing to possibly break your site while testing. This is not for beginners or inexperienced persons, ensure you have a back up of your site before attempting.

Enjoy!

Any feedback is always welcome.

Cheers,
Wayne

this is one of many ways. not necessarily the "right" way
another way is described here http://docs.joomla.org/Moving_sensitive ... e_web_root

which caries the warning
WARNING: Do not attempt this procedure unless, after reading several times, you understand it. This is not for beginners, ensure you have a back up of your site before attempting.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

mandville: Your post pointing to the wiki page will work for both versions of Joomla. I have tested it.

The 1.5 only version posted by jacksun messing with defines.php I have not had time to test very much yet. It semi-works from what I can tell. When I have time next week I may do more testing.

I can use


or I can use


Either way ( defines code) I can browse a default install frontend fine. When I try logging in to the administrator end it simply redirects back to frontend without ever showing a admin login.

I'm going to say it does not work and not to use it or experiment at your own risk. There is also no documentation on defines.php in the docs. worth looking at.

WARNING: Do not attempt this procedure unless, you understand what you are doing and are willing to possibly break your site while testing. This is not for beginners or inexperienced persons, ensure you have a back up of your site before attempting.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Hey Phild, you must edit the defines.php in 2 places, one in the root/includes/ directory and one in the root/administrator/includes/ directory. I am running 1.5.15 on several sites with this done without issues.

I do however agree with the warnings:

WARNING: Do not attempt this procedure unless, you understand what you are doing and are willing to possibly break your site while testing. This is not for beginners or inexperienced persons, ensure you have a back up of your site before attempting.

My bad for forgetting it originally, adding it up top now for those who won't scroll far enough down.

Wayne

Guess I didn't see the BOLD part about editing the second place. Must need new glasses

If I have time in a few minutes, I'll give it a quick try and see what happens.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

I really like the explanatation fo RSJoomla! http://www.rsjoomla.com/customer-support/documentations/55-system-check/218-file-and-folder-access-check-checking-if-configurationphp-is-outside-of-public-html.html

Step 1 : Move configuration.php to a safe directory outside of public_html.

Step 2 : You will have to modify the /includes/defines.php and /administrator/includes/defines.php files, more precisely, this constant:
define( 'JPATH_CONFIGURATION', JPATH_ROOT );

If, for example you wish to move the file up one level and into a folder named "test" the constant will look like this:
define( 'JPATH_CONFIGURATION', JPATH_ROOT.DS.'..'.DS.'test' );

Step 3 : Make sure the configuration.php is not writable at all, so that it can not be overridden by com_config.

Step 4 : If you need to change configuration settings, do it manually in the relocated configuration.php.

However, changing the path of configuration.php makes complex changes for extensions such as VirtueMart etc. neccessairy. Therefore I think such maneuvers are not recommended.

@jacksun

I made all the changes this time and yes using

in the proper places (both defines files does work. I have only had time to do a quick test, and have not tested any extensions such as Virtuemart.

In the code above, the path I used was because I have the test site installed in a subdirectory (public_html/subdirectory) and the config file resides in a directory outside of public_html and thus have to step back further to begin with.


@herzwacht
I will have to experiment with the info you provided and certainly see if something can be found to allow extensions such ad Virtuemart to work (path info may be seni-hardcoded in it).

My goal is to have at least the config file outside of public_html within a subdirectory of a directory. if that makes any sense (/directory-outside-public_html/subdirectory1/config.file).

Unfortunately, It will be wed before I have any real time in the schedule.

Interesting though, and maybe a developer will step in and explain some about the defines.php files.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Have tried both methods for relocating the config.php. The first method described by Jacksun and on the rsfirewall link result in a white screen. The mandville method found in the docs on this site results in the endless login loop for which I've tried several different fixes mentioned in other posts. Not sure what else to do other than leave it in the root with permissions set as low as possible (444) - and I've been that route in the past and would rather not again.

Any thoughts could be helpful and greatly appreciated.

If your getting a white screen or an endless loop you have done something wrong in both cases. Both methods do work fine and will also work with the administrator directory password protected. The defines.php method is the intended method for 1.5.xx sites. The method mandville posted the doc link to is from the 1.0.xx versions but will also work on 1.5.xx versions.

Try turning off SEO if your using that (for testing) and make sure you have set the proper physical path to the location outside of public_html where you put the configuration.php. Don't forget to delete the original configuration.php in the Joomla install.

I always suggest testing on a site that is for testing and not a in production site.

I have been actually using the defines method on a live site for several months without issues.

Difference in the methods is the 1.0.xx version of the mod results in a redirect of the configuration.php file using code that replaces the content of the original config file.. When edited from the back end and saved it will overwrite this configuration.php file negating the redirect.

The defines.php mod tells Joomla where the configuration.php file is located on the server and will not result in any "place holder" redirects being overwritten. this is a better method, though defines will be overwritten by an applied Joomla update if the file is included in an update package.

The defines method is safer IMO because

If you have

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Yes, PhilD, good call. Went back at it with a clean configuration file and the includes method works. It appears I can't type or my eyes are going bad or both. Made sure those lines were right with a clean config file and it was easy.

Hope this thread helps others.

My probable mistakes for others in the same boat:
- Check your input, all spaces, dots, whatever must be correct.
- Don't use notepad to edit a file. Even though it may look correct, the encoding is/might be wrong.
- Be persistent.

Other hints:
- download a copy of any file before you edit it.
- make sure you're using the right path to your file
- make copious use of the search feature above.

My eyes and fingers sometimes have minds of their own. As in what I think I see and what I think, and what I type are sometimes very different animals. Glad you got it to work.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

going to test now will say if it worked or not

Hi,
What if i have 2 levels ie i have my website on a subfolder of the name of my account

My account/public_html/mywebsite

Thanks in advance

Hi,
problem come when you use AJAX ,JQuery and Mootools Applcation.you need customize all the external ajax now which use jconfig object of configuration.php.
for stand alone application we use general code
require_once("configuration.php");

$jconfig = new JConfig();



$jconfig->host, $jconfig->user, $jconfig->password

do you think we can access them eaisily if we change the path of joomla configuration.php

_________________
abhijeet kurchania
The future depends on what you do today

Being new to Joomla, this security measure is often talked about.
And the warnings of trying it at home alone, are well noted.

Since this seems to be a matter of getting the directories correct. Why is this not part of a standard install? "an option" in the install: "do you want Joomla to create a subfolder to hold the config file, if yes, enter the folder to create and name the "real config" while the "pointer" config file is filed in during the install, basically acting as a traffic cop. then have the install do the work.

It seems like a true security issue, and if the pro's suggest doing it, then why isn't Joomla doing it?
Just curious, fyi I tried this method that Mandville pointed to and got header warnings. the page came up but had three "warnings" so I'm close but no cigar.

I have not tried the first method of playing with the defines.php I have to assume that was part of the problem with the libraries warning?

But I would love to see this as part of an install rather than a leave it up to "me" to find or figure this out.

thinking "outside the box" when I first started using Joomla, 90 days ago, I had the impression, it "works" like a plug and play "not much coding etc..." what I have had to learn, and study is sometimes more advanced than I ever cared to get.

Then "learn php" ? it seems like this being such a big ticket item, for the security of joomla, that the Joomla team would secure this for the novice in the install, but that is simply me thinking out loud.

There are times when I feel good about "learning something new" there are times when, I would rather not. What this topic does to me personally, is show me I have a security problem, that "until I figure it out" will cause me to to lose sleep.

p.s I hate the term "hack" since I hear that and think I'm breaking something.. like breaking joomla. so is this a Hack? or is it security?

Not getting in to things very deep, in general the Web server (on which Joomla runs) can not access anything outside public_html for purposes of creation of the directory, or the creation of the file. Therefore, the method presented is unlikely to ever be included in an Joomla install. It is better to use permissions of 644/755 (though even this causes issues with some hosts) and if more security is wanted, you can usually set the configuration.php and templates file(s) to 400. Other than proper permissions, using a quality host and keeping things updated to their latest releases will go a long way in keeping a website secure.

The link Mandville posted is the right link, but for some reason the info has been presented as php files which is incorrect and will not work. If you look, this was attributed to me in the log, but I don't remember posting it that way, or at least I have no record of posting it that way on my computer. Thanks for reminding me it needs fixing. I will look into getting that done.

You can try

or


The above is one way to make the edits and if you read the posts from myself and jacksun you will see the conversation about what is needed. You must edit the defines.php file and this file occurs in 2 different places, one in the root/includes/ directory and one in the root/administrator/includes/ directory. Both files must be edited in order for this method to work properly. The method is considered an advanced code hack (though easy to do) as it may render issues with a site later or while making the hack. Certain upgrades, reinstalls etc. have the potential to or will overwrite the defines file.

In the code above, the path I used was because I have the test site installed in a subdirectory (public_html/subdirectory) and the config file resides in a directory outside of public_html (design2_files) and thus have to step back further to begin with. Adjust the relative path accordingly

Yes this is a hack -- or modification to an existing code base in order to make the original code base work in a way that better suits your wants or needs. The term 'hack' (and by extension 'hacker') used to be a good term meaning someone who improves the code base in some way or adds a wanted/needed feature, but has since become to mean primarily breaking and entering for purposes of exploitation. People like me use the term both ways which can be confusing --sorry --


As far as learning php, you should be able to do almost everything wanted by using Joomla and extensions. Yes you do need to know some basic html, css, and how to do basic setup on the host of choice, but php is not normally required. It's not hard to pick up the basics, but php knowledge is not required to properly modify the defines.php file. After all it is just a text file.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

The only surprise can occur, when open_basedir is set in php.ini - in this case the frontend does not work properly, return error message. Back-end ok.

I would think then that if one end does not work, then neither end would work. My open_basedir is set and the method works fine.

edit:
FYI

"mandville: Your post pointing to the wiki page will work for both versions of Joomla. I have tested it."

That page (http://docs.joomla.org/Moving_sensitive ... Directions) has undergone several changes since that post was made and does not currently include the other 1.0.xx method that worked for both 1.0.xx and 1.5.xx.

As always, core code hacks may not work "out of the box/or at all" on every server without additional work troubleshooting. That's the reason for the warning at the top of the doc page and another reason why certain modifications may not be officially added to the Joomla core.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

still i don't know how can we get the following parameter if you change the configuration.php path.this security hack is excellent but still for stand alone application we need configuration.php.

_________________
abhijeet kurchania
The future depends on what you do today

Has anybody tested this out on a Virtue Mart site yet? Very interested if there is a successful way to add this additional security.

Would there be configuration or otherwise sensitive files within VirtueMart that might need to be tucked away as well?

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

I had tested it with an older version and it worked, though I did not test https It is easy enough to try though. The mod basically just gives Joomla the path to the config file.

It wont work with Jms Multi Site for joomla! Version 1.2 as this extension does quite a bit of re configuring of a number of Joomla files including defines.php

It probably won't work with Joomla! Tools Suite as that looks in a specific place ( I have not looked at the current version- may be different?) for the config file before it will run.

@kurchania
Not sure if I read your intent correct. The code you presented looks like an old way. why not use the Joomla api's and methods of access?
I'm not sure if "define( '_JEXEC', 1 );" would satisfy Joomla enough to use JFactory, JDatabase etc. to get the desired info or read the defines.php file to determine where the config file actually resides.
This is a problem (incompatibilities, unintended results) with any core hack and is why core hacks are only recommended for persons who have the experience to work out any issues.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Hi,
allmost 50% of component and joomla using ajax application use same code to access jquery and mootools application.
i integrate conifguration.php hack of define.php in my website and always found problem in jquery and mootools based application.
always need to replace that code manually and after update again the same thing happens.

that's what my concern is.its better if we give permission of configuration.php to 444 instead of changing it in define.php.

Regards
Abhijeet

_________________
abhijeet kurchania
The future depends on what you do today

True. It is better IMO also, to use a quality host and set the configuration.php and the templates index.php to 444 or 400. Mine are set on the production sites to 400.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Hi PhilD,
that's what my logic also say.
if your configuration.php permission is 400 or 444 no one can access it.
rsfirewall has its own logic.they want that configuration.php should not be access with the same folder at which joomla is installed.even there tmp and log also should be outside jooomla.
its better if we give some more encryption to configuration.php data like password,ftp user passowrd and account.
what do you think?
Regards

_________________
abhijeet kurchania
The future depends on what you do today

No need for this... In my eyes it`s no problem to set the file to 444 so nobody can acces...
The most important thing why the configuration should be outside of the html directory is the reason when php not corect parses the files, and outputs php code

How often you change your config file on a live site? yeah not very often... and when you can do it by hand in the file also, so the quick and dirty fix, what also the most novice people do understand is:
place the config file outside the html root and write a simple require_once statement to the config in the joomla root

Hello!
I tried the upper mentioned configuration.php file moving process with my 1.5.21. Joomla site, the front-end worked fine, but I couldn't reach the back-end site, always redirected to the "mysite/installation.php", of course I seen a simple 404 message. After that I backup every modify, but unfortunatelly I couldn't reach my back-end site, I see the 404 message with the redirected installation.php path.

How can I solve this action?
Thanks a lot!

Hi,
we also have ot perform same operation in administrator/includes/defines.php
need to define configuration.php there also.

_________________
abhijeet kurchania
The future depends on what you do today

I configured both file:
- file in root/includes
- file in administrator/includes

And this way was wrong the path of back-end.

That means you did not modify, or modified wrong the defines.php file that is in ile in the administrator/includes directory. Both defines files have to be modified correctly for everything to work.

I don't wish to discourage people from attempting these modifications, but do realize this is an advanced modification, which done wrong will make your site or part of your site not work. If you do not know enough to figure out any issues, then please don't try this modification.

This is the reason for the warning

WARNING: Do not attempt this procedure unless, you understand what you are doing and are willing to possibly break your site while testing. This is not for beginners or inexperienced persons, ensure you have a back up of your site before attempting.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

This forum topic is currently linked to from the Joomla Security List in the section on moving sensitive files.

So I have a message for others like myself who try moving the config file.

I setup a test site to practice on.
I followed the description in the security checklist and moved the file and changed the two defines files. All seemed to work fine, from front end and backend. I installed a few extensions to test and then tried one that changes the jos tables prefix.

Error 500. No way I could see back into the site.
I have NEVER had this happen when installing an extension before.

Can only say if the usual message is to backup before installing extensions etc, lets
put it in GIANT CAPITAL LETTERS that if you move the config file backup every single time before you add a new component without fail!