Something that off-the-shelf scripts tend to neglect is saving your files in a secure location. Not all the files, necessarily. Just the valuable ones with things like your database username and password. The files that really matter.
There is more to it than that though. Files that are only accessed by server side processing can be stored in different locations from images, stylesheets and public documents.
Consider the following things you’ll see on this page…
You’ll be reading a page called index.php but you can’t see that because mod_rewrite is turned on. Index.php needs to be on the public side of my site.
Index.php calls any number of scripts – includes – to help it access the database and process the information to create this page. There might even be code at the top to prevent the script being called directly. A better way to secure those pages from undesired “hits” is to store them out of the way.
Take a look at this image. You can see htdocs sitting there. On your site it might be called public_html. It’s the same thing.
Anything above htdocs is fair game and it’s only the webservers internal security and any coding restrictions that prevent files from being accessed directly. For the most part direct access is a GOOD thing.
But what if something happens to compromise the webserver and it stops protecting your site properly? Those files may become visible.
If they are stored in a directory outside of htdocs then the file will be secure.
In my example above there is a folder called includes and another called private. These, in turn, may have any number of sub directories creating a very normal file structure. But because they’re not in htdocs you can’t get to them using your browser.
Programmatically, ie from your PHP script, they’re still available to be used.
So, next time you install some software on your system consider moving the config.php, settings.php type files to a more secure location.
[…] Don’t forget, always store anything to do with your intellectual property or business rules in server side scripts – and in a secure location if possible. […]