Being a booklet at 30 pages, it’s a pretty quick read, only taking about 20 to 30 minutes from start to finish. This is also due in part to the fact that it’s very well written, clear and easy to read.
The book begins by explaining that securing a website powered by a complex system such as ExpressionEngine is actually a moving target. Mark proposes that “the notion that a completely secure site can be obtained must be forgotten. Absolute security is an unobtainable goal, yet with constant diligence and some proper foresight, it is something to strive for.” And this ebooklet does its very best to ensure that our ExpressionEngine websites are as secure as they can be.
The first section runs you through moving your system directory and templates folder outside of the root so that the files cannot be accessed by the public. While I know some developers do this, I think many still see it as being a very complex and esoteric measure (I know I did before reading this!), but this step alone will go a long way toward securing your ExpressionEngine install, and is something that more developers should start doing.
This section is an expanded version of the article posted by Mark over at EEInsider. Even though this is covered in the documentation, there was clearly room for improvement as can be seen in the comments to the article at EE Insider. Mark speaks in a very clear voice, and the instructions are easy to follow.
It then continues by showing how you can hide your version control folders (whether they’re Subversion or Git) from public view by using some rewrite rules. It then wraps up by discussing many of the security and spam control settings, explaining the default and recommended settings for each.
Even though it was a quick read, there’s a lot of valuable information in here. Being the Technology and Development Director at Happy Cog, Mark clearly has a lot of experience with ExpressionEngine, and this little booklet does a fine job of passing on some of that knowledge.