How to secure your ExpressionEngine Website

Website security is extremely important. It should be taken very seriously as it will to a large extent determine the success of any website. Take this scenario: you own a website that is ranking very high on search engines and pulling some very huge traffic. Suddenly, it is exploited and returns a blank page to visitors. How will the visitors react? Most certainly, visitor confidence will be eroded and you will lose traffic and sales. Some visitors may never visit that site again. So securing every website is a serious issue that deserve the right attention.
In this post, we examine how to secure an ExpressionEngine website. Let’s go straight to the key steps to take.



1. Secure the file and folder permissions of the site

This can depend on the web hosting environment. You will need to check up with your web host for appropriate file permission settings. Usually, the files should be set to 644 and folders set to 777. Limiting the file permissions can improve the security of ExpressionEngine. Generally, you want to restrict access to all non-owners. In practice, this usually means everyone other than you.

2. Change the administrator login web address

Concealing the administrator path to the ExpressionEngine which enables backend access to make changes to the website can help prevent intrusions. Easily guessed administrator login pages are much more likely to fall under brute force attacks. Changing the ExpressionEngine administrator web address or URL hides the login page to thwart unwanted access attempts. To do so, rename the admin.php file to one of your choosing, then edit the the line shown below in the system/expressionengine/config/config.php file to reflect the new name of the admin.php file.
$config[‘cp_url’] = “http://domain.tld/newname.php

3. Manage access points

You can access your site through SSH, FTP, or the SiteWorx control panel, and the choice depends on you and what you want to achieve. Each of these protocols should have different passwords and should follow your password policy. Always use secure methods of accessing your site and moving or modifying the content of the site. Finally, connection methods like SSH, SFTP, or SCP offer relatively easy ways to provide an additional layer of security.

4. Deploy changes responsibly

One of the major sources of site exploitation is vulnerable plugins. Extensions, themes, and other applications can create vulnerabilities. The best way to minimize this threat is to first implement all new changes in a development environment. Frequently referred to as a “dev site,” this environment is an exact copy of your live site, but changes made to it do not affect your actual website. We also recommend you backup both the site files and the database before making any changes, as these form the final line of defense against security breaches and data corruption.

5. Implement your own password policy

A password policy states requirements for passwords. Our recommendation for a strong password is:
• Do not use a password that is easily guessed or decoded.
• Establish complexity requirements. Use a combination of capital and small letters as well as special characters.
• Change the password regularly.
• Do not recycle passwords.
Consider using the the Todhost cPanel Secure Password Generator to help generate a secure custom password.

Further reading:

ExressionEngine Search Engine Optimization

Getting Started with Expression Engine

How to Use ImageSizer to Scale Lightbox Gallery Images in ExpressionEngine

Tips for optimizing ExpressionEngine website for better performance

What are the Things You Can Do With ExpressionEngine?

6. Change or move the system folder

Obscuring the path of the ExpressionEngine system folder can help prevent intrusions. The system folder is the core of your ExpressionEngine install and contains sensitive information. To change the name of the system folder, edit the line below in both the index.php file and admin.php file.
$system_path = ‘.newsecurename’;
Once this line is edited in both files, rename the system folder to reflect the new name.
Moving the system folder outside of the webroot can also improve security. To move the system folder, edit the line below in both the index.php file and admin.php file, then move the directory to the specified location:

$system_path = ‘../system’;

The above example moves the system folder up one directory.
An increasingly common attack is to search for Subversion’s .svn directories within your web root and infer an application’s directory structure from the entries file (this is done by navigating to If these aren’t protected by .htaccess you’re giving attackers a full view into your system folder name, the extensions you have installed and even, potentially your template structure.
Simply by asking Subversion for your directory structure, attackers could find and exploit all those templates you thought no one could see and you didn’t need to put a password on, or all those poorly structured. Moving your system folder out of the web realm protects this and gives attackers (potential) access to only the files you deem safe.
In the root index.php file there’s a line near the top that tells EE2 exactly where to look for the system folder. This is your first line of defense against malicious attacks. Security through obscurity it’s sometimes called but it works surprisingly well.

$system_folder = 'system';

This isn’t iron clad security but it sure is better than an easily guessable /system folder. Now, let’s make it better.
It is not obvious from the variable name or the default value, but the $system_folder variable isn’t just looking for a directory name. It can take an entire server path to your system folder. We’re not limited to just system there, we could write private/system and nest our control panel within an .htaccess protected private directory. We could also go the other way and pull our system folder up a level outside the web root like so:

$system_folder = '../sys';

7. Add CAPTCHAs to forms

CAPTCHAs offer additional validation to forms to prevent aggressive spamming. Before users may submit a form, they must read and enter a generated code for each post. Recent versions of ExpressionEngine include the CAPTCHA feature and require minimal effort to implement. CAPTCHAs can be implemented on comment forms, member registration forms, and contact or tell-a-friend forms
Last month EE Insider asked the readers “What do you rename your system folder to?” The responses ranged from common dictionary words to random strings and everything in between. The responders are obviously concerned about security and doing what they can to ensure malicious users or bots cannot attack their Control Panel. Let’s take a look at a simple way to secure your ExpressionEngine 2 (EE2) installation.


8. Secure Setup Paths

Here are the paths recommended for use for various parts of EE2 installation:
Let’s take a look at each one individually.


9. Get SSL set up on your server

To do this, you will reuire an SSL certificate, With modern servers, you no longer reuire a dedicated IP address to i,plement SSL on our website. Essentially, a regular HTTP request goes like this:

Browser: Hey, can I have a connection to port 80?
Server: Yip, go ahead.
Browser: Ok, give me, page /
Server: Sure, here you go!

With an SSL connection, the request goes like this:

Browser: Hey, can I have a secure connection to port 443?
Server: Yip, here’s my certificate.
(browser checks certificate)
Browser: Ok, give me, page /
Server: Sure, here you go!

Notice that the certificate is validated before the browser sends the “host” header. The clever folk in charge of SSL realised this, and developed TLS (the replacement for SSL), which includes a technology called Server Name Indication. This allows the browser to specify a host name before the certificate is requested.

Once you have SSL set up and working on your server, you should be able to browse to and see your website. If this doesn’t work, you probably need to get in touch with your web host to figure out why things that aren’t working

Securing specific sections of your web site

In some circumstances, you will want to secure your entire website, and only allow it to be served over HTTPS. If this is the case, then you’re nearly done. All you need to do is prevent access over regular HTTP. This can be accomplished using a couple of lines at the top of your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This tells your Apache server “If HTTPS is off, redirect to https://current-domain/current-page”. If you are running your entire site over HTTPS, you should also check that your Site URL and all other URLs in your ExpressionEngine settings use HTTPS. The easiest way to do this is to grab a copy of thr free REElocate find-and-replace module to update your settings all at once.

Putting all these recommendations together, you have a simple and secure way to run on your ExpressionEngine2 website. If you have issues, you can contact customer support
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Getting Started with Expression Engine

When it comes to the web, ExpressionEngine is preferred by companies of all sizes for 5 major...

What are the Things You Can Do With ExpressionEngine?

ExpressionEngine (EE) is a commercial, modular CMS developed by EllisLab. It is available in both...

ExressionEngine Search Engine Optimization

Optimising your Expression Engine website is fundamental to help our site performance especially...

Tips for optimizing ExpressionEngine website for better performance

If you are familiar with ExpressionEngine for the design of your website, its important to have...

How to Use ImageSizer to Scale Lightbox Gallery Images in ExpressionEngine

The ImageSizer plugin from Lumis is a fantastic plugin and you will get to find that out very...