Securing ExpressionEngine 2 by Mark Huot is the first ebooklet from Mijingo, a small company providing training materials for ExpressionEngine run by Ryan Irelan.
Being a booklet at 30 pages, it’s a pretty quick read, only taking about 20 to 30 minutes from start to finish. This is also due in part to the fact that it’s very well written, clear and easy to read.
The book begins by explaining that securing a website powered by a complex system such as ExpressionEngine is actually a moving target. Mark proposes that “the notion that a completely secure site can be obtained must be forgotten. Absolute security is an unobtainable goal, yet with constant diligence and some proper foresight, it is something to strive for.” And this ebooklet does its very best to ensure that our ExpressionEngine websites are as secure as they can be.
The first section runs you through moving your system directory and templates folder outside of the root so that the files cannot be accessed by the public. While I know some developers do this, I think many still see it as being a very complex and esoteric measure (I know I did before reading this!), but this step alone will go a long way toward securing your ExpressionEngine install, and is something that more developers should start doing.
This section is an expanded version of the article posted by Mark over at EEInsider. Even though this is covered in the documentation, there was clearly room for improvement as can be seen in the comments to the article at EE Insider. Mark speaks in a very clear voice, and the instructions are easy to follow.
It then continues by showing how you can hide your version control folders (whether they’re Subversion or Git) from public view by using some rewrite rules. It then wraps up by discussing many of the security and spam control settings, explaining the default and recommended settings for each.
Even though it was a quick read, there’s a lot of valuable information in here. Being the Technology and Development Director at Happy Cog, Mark clearly has a lot of experience with ExpressionEngine, and this little booklet does a fine job of passing on some of that knowledge.
Andy October 27th, 2010 at 4:08 pm
Nice concise review Mark,
One thing that I find with having a system folder outside the root is it catches out many of the 3rd party developers on first release of their products. A quick email is all it takes for them to issue a patch but would be good if they could trap first time out of the gate.
Now off to buy the book myself ;)
Cheers
Andy
Tony Geer October 27th, 2010 at 4:10 pm
Thanks for commenting Andy. I’ll also forgive you for calling me Mark :D