Where to move Configuration file for safety?

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
shoushan
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Tue Jul 15, 2008 7:25 pm

Where to move Configuration file for safety?

Postby shoushan » Fri Sep 05, 2008 8:11 pm

I have no desire to get hacked!

Where should I move my configuration file to. I understand that all these forums say outside the public_html folder but does that mean anywhere? anywhere? Is there a better location for it? And I think I have to rename it or something. Can someone give me a good explaination of how this works.

If I move this file and I need to edit it, how will the paths that use it know where it is. Do I change the permissions of this file?

Any advice would be helpful.

Yes I understand that there are lots of other security steps to take. I just want to take one confusing step at a time.

Cheers

User avatar
Garza1977
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 143
Joined: Wed Dec 05, 2007 3:24 am
Location: Fernandina Beach, Florida.

Re: Where to move Configuration file for safety?

Postby Garza1977 » Sat Sep 06, 2008 10:43 pm

Hello there,

Well, you can actually move your configuration.php file to anywhere you want, you can even put it on your own computer at home BUT, THAT WILL MAKE YOUR SITE USELESS!!

You NEED to leave the configuration.php file where it is, do not move it, do not rename it.
This file is required by Joomla 100% of the time.
If it has buttons, I want to play with it...

shoushan
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Tue Jul 15, 2008 7:25 pm

Re: Where to move Configuration file for safety?

Postby shoushan » Tue Sep 09, 2008 5:13 pm

This is straight out of the Joomla Administrators Security Checklist. Have you read this? Is this the wrong thing to do? Now I'm really confused. Am I thinking about the wrong file?


Protect directories and files

Increase the security of the critical configuration.php file by moving it outside of the public_html directory.

Ensure that all configurable paths to writable or uploadable directories (document repositories, image galleries, caches) are outside of public_html. Check third party extensions such as DOCMan and Gallery2 for editable paths to writable directories. There is currently no easy way to move the Joomla! /image and /media directories. The best plan is to make sure open_basedir is properly set for all the user accounts on your server. Check with your host if unsure.

wardy83
Joomla! Intern
Joomla! Intern
Posts: 80
Joined: Tue Jul 17, 2007 8:13 am

Re: Where to move Configuration file for safety?

Postby wardy83 » Fri Sep 19, 2008 9:35 am

Yes, Garza is wrong on this... I'm trying to figure it out myself.... found this but seems pretty old not sure if its for 1.5:


One challenge in Joomla! is ensuring that certain PHP files in public_html containing executable code or confidential data are protected from direct Internet access.

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as Gallery2 and Apache.org strongly recommend against keeping vulnerable files and confidential data inside public_html. The following method seems to be the simplest and most elegant way to protect read-only files that for whatever reason must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site.

Directions

1. Move configuration.php to a safe directory outside of public_html and rename it whatever you want. We use the name joomla.conf in this example.

2. Create a new configuration.php file containing only the following code:

Code: Select all
<?php
require( dirname( __FILE__ ) . '/../joomla.conf' );
?>



Do not include blank lines above the php start tag "". Such blank lines will trigger the infamous "headers already sent" error. e.g.:

Code: Select all
Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxx/public_html/configuration.php:2) in /home/xxxxx/public_html/index.php on line 250




3. Make sure this new configuration.php is not writable at all, so that it can not be overridden by com_config.

4. If you need to change configuration settings, do it manually in the relocated joomla.conf.

Note: Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file.

User avatar
Garza1977
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 143
Joined: Wed Dec 05, 2007 3:24 am
Location: Fernandina Beach, Florida.

Re: Where to move Configuration file for safety?

Postby Garza1977 » Fri Sep 19, 2008 2:28 pm

Interesting...

I guess I have miss some of the news!
If it has buttons, I want to play with it...

webdeva
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Thu Sep 08, 2005 3:10 pm

Re: Where to move Configuration file for safety?

Postby webdeva » Tue Nov 24, 2009 12:03 am

I moved my configuration file and can not remember where I put it! Can somoene give me some advice as to how I can find it?

gayfor
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Tue Sep 13, 2011 8:14 am

Re: Where to move Configuration file for safety?

Postby gayfor » Fri Nov 18, 2011 11:30 pm

Refer to this page for instructions on moving sensitive files like configuration.php.

http://docs.joomla.org/Moving_sensitive ... e_web_root

luis23045
Joomla! Explorer
Joomla! Explorer
Posts: 459
Joined: Mon Mar 09, 2009 9:54 am
Location: Dallas, TX
Contact:

Re: Where to move Configuration file for safety?

Postby luis23045 » Mon Mar 19, 2012 3:00 am

You don't need to move it anywhere else.

Just make sure that you changed to 444 and then if you want really seriously protect your Joomla Site buy this extension.

http://extensions.joomla.org/extensions ... tools/7032

All my Joomla Sites are protected by that tool and sites have never been hacked.

Yes I have been hacked in the past but after that tool it never happened again.
http://cmsteachings.com - Joomla Tips & Tutorials
http://ubrainmedia.com - My Joomla Company
My Joomla Advice is my personal experience. It does not means I am right or wrong. It just means that I work with Joomla in my own way and it works for me.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Where to move Configuration file for safety?

Postby mandville » Mon Mar 19, 2012 9:38 am

moderators note:
Moving the configuration.php from your root of your Joomla installation as described in the procedures below makes no sense at all if your website or server is insufficiently protected. Moving the file only prevents the viewing of the Joomla configuration file by the casual observer. It offers no protection if root access can be been gained to your domain in some fashion, nor does it prevent root access to your domain that is the result of security compromises in Joomla, from 3rd party extensions, or similar insecurities from access gained through badly configured/protected remote or local servers."


topic locked
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}


Return to “Security - 1.0.x”

Who is online

Users browsing this forum: No registered users and 2 guests