The Joomla! Forum ™

Hi there! I am having some issues securing configuration.php.

I tried to move configuration.php into different folder as described here:
http://docs.joomla.org/Moving_sensitive ... e_web_root

I did everything as described, but I am only able to access the front end. When I try to access back end, browser displays an error trying to redirect to installation/index.php. Usually that happens when the path isn't listed properly...

I only moved configuration.php to a different folder, added
define('_JDEFINES', 1);
define('JPATH_BASE', dirname(__FILE__));

to both defines.php. I then changed the path and moved them as described in that Joomla article.

Any clue? Is there any other way of making configuration.php inaccessible?

Thank you in advance.

Moving the configuration.php from your root of your Joomla installation as described in the procedures below makes no sense at all if your website or server is insufficiently protected. Moving the file only prevents the viewing of the Joomla configuration file by the casual observer. It offers no protection if root access can be been gained to your domain in some fashion, nor does it prevent root access to your domain that is the result of security compromises in Joomla, from 3rd party extensions, or similar insecurities from access gained through badly configured/protected remote or local servers."

WARNING: Do not attempt this procedure unless you understand what you are doing and are willing to possibly break your site while testing. This is not for beginners or inexperienced persons, ensure you have a back up of your site and also of the files you will be modifying before attempting this modification.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I saw this generic message posted by you in previous topics. However, I asked a specific question. If you don't know the answer, do not waste you time, please.

you are wasting your time by attempting to do this procedure.
If you had read and fully understand and followed all the procedures your site woudl be
1. working
2. still not fully secure
As you have not told us what version of joomla you are using or anything else.

Those messages are there on that page in big red alert letters for a reason. Perhaps if you read the other topics properly you would see the reason why i reposted those warnings - ie to stop you wasting your time attempting a procedure that was a waste of time.
If you do not like the advice i offered you, then i am sure a few other people will provide the same advice worded differently
/eof

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Alright, don't get mad about it... I was able to fix it. Path was the problem, as I mentioned...

the most effective security measures for your site are detailed in checklist 7 - http://docs.joomla.org/Security_Checklist_7 and to make your config file 444 on permissions

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

The document actually dates back to the 1.0 versions of Joomla and remains for historical reasons as it was once thought to add some security to a website.

It was pointed out long ago that since the Joomla CMS program can read and write to the configuration.php file when it is located outside of the public_html directory, then a simple hack through an insecure extension, out of date Joomla installation, or other security compromised program can also read the file. Thus the moving the configuration file provides no real site security and may even decrease security if one thinks moving the file increases security and becomes lax on updating or keeping up to date, Joomla, extensions and other programs such as forums on their domain.

Since time usually translates into money, there are more effective solutions and procedures that can be used to increase site security. The biggest being keeping everything up to date, keeping everything backed up, keeping permissions set to no more than 644/755 on files/directories, enabling and using the included htaccess file, and reading (or learning to read) raw site logs for signs of possible security issues.

As mandville pointed out the checklists are not for just when you get hacked, but contain some very good information on how to keep a safe and site secure.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

@ Mandville and Phil
Why don't we remove that entry in 'docs' altogether. We all agree that it is useless and does not contribute to anything but for getting these kind of wasteful posts. Suggest removing "so we do not waste time indeed"

@ romjoomform : Next week Joomla 2.5.4 will be released. After that upgrade your site will probably not working anymore. Prepare a post for asking "why is my site not working anymore" and you 'forgot' that you had placed your configuration.php outside the root ...... Oh and that will happen with each release. Oh and uhhh, as a suggestion only, without offense, but you mind consider being a little bit more respectful in your replies to people who are kind enough to support you here?

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

@Leo
Will consider the first point in discussion.

Starting with 1.6 the proper way to make the modification is by defines overrides (localized version of defines) which Joomla should not be messing with anyway as the file is not part of the Joomla core.

Joomla core updates to sites do not alter, overwrite, or otherwise remove the configuration.php file, defines override file, or any other non-core file.

Just so everyone reading this thread knows; The configuration.php file is a file generated upon completion of the initial Joomla install and is also not part of the Joomla core. As with any non-core file a Joomla update has does not know about added files that are not in the core. This is why we always recommend after being hacked to Delete all files. You don't know what may have been added and just overwriting core files with a full Joomla install or by just updating the Joomla install will not overwrite or replace any non-core files.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Hello! Well, I didn't mean to be disrespectful. In fact, I think, I am very respectful.
I am not an experienced Joomla user. I just started using it and that's why I have a lot of questions and sometimes silly. This is exactly why I refer to Joomla forums and docs. I was just following the steps in docs and got stuck at some point. Obviously I was looking for some advice...

I think MOST of the posts in the thread are trying to explain that the document is an old one when the average security wisdom or recommendation thought that moving certain files such as the configuration file which contains sensitive info outside of the public_html (publicly accessible area where your site lives) made them safer from prying eyes. Today it is generally understood that if Joomla knows where the file is outside of the public_html directory and can read the file, then it is not any safer from others accessing the information contained within the config file.

Since it is not any safer security wise to move the file, then is is best to just leave it where it is originally generated and installed to. Moving the file properly for the Joomla version used, generally will not harm or break anything, but later down the road you may forget where it is or the people who may take over managing a site may forget. This happens all the time.

Regular updates for security fixes normally won't affect the site in a way as to break the operation of the site if the config file is moved outside of the public_html directory. Replacing all files (after being hacked is one reason to do so) will mean you have to redo the edits on some versions of Joomla. Same goes for the defines override file. If it is deleted for some reason, it will have to be remade. Not the hardest thing, but can be hard to remember to do if your site becomes hacked and you replace all files.

I think you get where I (and mandville) am/are coming from. Spend your time elsewhere making sure the checklists recommendations are followed and learning more about site security in general.

The following are some tips to get started with, but not an extensive list.
The best security is:
to select and use a good host. This host does not necessarily need to be expensive, but shouldn't be dirt cheap either. The most popular hosts may not be the best choice for hosting
to keep the core files up to date
to keep the 3rd party extensions files up to date
to remove old unused 3rd party extensions from the site
to make sure permissions are set to 644/755 NO HIGHER FOR ANY REASON, PERIOD. END OF STORY!!
to make and test regular backups of both the database and the sites files.
to keep a copy of the configuration file in a safe place
to read your site access and error log files on a regular basis
to know what is on your site and domain in general to recognize something strange
to review the security checklist 7 and follow it's advice
to review the Vulnerable extensions list (VEL) on a regular basis and update or remove 3rd party extensions versions that appear on the listing.
to review other security checklists to learn more on site security in general.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Phil, I really do appreciate your time and all the recommendations. You diffidently convinced with not moving configuration file. Thanks again. I'll follow your guideline.

Thank you!

Your welcome.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

I was wondering if configuration.php were IonCubed, it could still be accessed by other scripts.

Can you folks think about any way, in which the class "JConfig" from the file could be encrypted to prevent including?

For example:
- Decryption would be possible only by (also IonCubed) framework.php file, which stores token - password for decrypting (not in a readable variable)
- Accessing any property of the JConfig object would require that token passed to JConfig object with magic __get() method.

What do you think about this solution?

I'm just trying to think about a situations where configuration.php is:
- stolen
- accessed by hacker's scripts