Easy Steps for Securing Your CMS Made Simple Installation

With every online available software or CMS system, there comes a problem with vulnerability and hacking attempts. If you follow these few easy steps, you are able to add some extra security to your CMS Made Simple installation!

1. Use better login names and passwords

The biggest problem of all is that most of the time, users tend to use an easy to guess admin login name and password. Therefore, the first step would be to change your admin login name and password to something other than “admin” or “joe” and do not use an easy to guess password like “yourname123” or a birthday. In this age of social networks, there is already enough information available about you around the net, so it is easy to guess something like your birthday or children’s birthdays.

Login to your CMSMS Administration area. Go to “Users & Groups”. Click on “Users” and select your account. Change your settings and click “submit”.


2. Rename your admin folder

CMSMS, like a majority of  OpenSource software, locates the admin login at an easy to guess location install_directory/admin . If your CMSMS installation is in the root folder, then your  admin panel is at www.domain.com/admin . To prevent this we have an option of changing that folder to whatever name we like. Login to your server by using your favorite FTP Software (for example FileZilla) and rename the “admin” directory to something like “XY123”. Then open “config.php” file in your favorite text editor and change the following line to match the directory name:

$config['admin_dir'] = 'XY123';

3. Make some fun of people attempting to access /admin

Observing my stats, I have often seen that some people were attempting to access my /admin folder.
As I don’t see a reason why someone would be interested in viewing my Admin page, I have decided to make some fun of those people with a simple line in the .htaccess file (if you are using pretty URL, you already have a .htaccess in your root folder; otherwise, you should make one).

Redirect 301 /admin http://www.cia.gov
Redirect 301 /administration http://www.cia.gov

Please note that you should first rename your folder before taking this action.

4. Secure your config.php

Your config.php should not be writable. To change this, simply change CHMOD settings for the config.php file via your FTP client to 444 (CHMOD 444).

5. Prevent access to .htaccess and config.php files

For some extra security, you can prevent accessing .htaccess or config.php files. Simply add the following to your .htaccess file:

<Files .htaccess>
order allow,deny
deny from all
<Files config.php>
order allow,deny
deny from all

6. Block evil bots and other not so healthy clients

There are many unwanted bots out there, so to deny access to these we can use a simple rule in .htaccess file:

RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector 
RewriteRule ^.* - [F,L]

Note: do not use [OR] on last rule.
For a nice list of bots, you can visit this website or use “htaccess block robots” in the search engine of your choice.

7. Limit file upload size to protect from DOS attacks

With this single line in the .htaccess file, you can limit a file upload size directly through the .htaccess file.

LimitRequestBody 10240000 #equals to 10MB

For easy file size conversion you can use this website

8. Prevent robots from indexing specific files

There is no reason why search engine robots would need to index some of your folders or files, such as images that were used for your site design.
When creating themes for CMSMS, I usually use the /uploads/themename/ folder for any Theme related files.
To prevent these files from indexing, we can use a simple rule in our robots.txt file that is located in our root folder.

User-agent: *
Disallow: /uploads/themename
Disallow: /uploads/themename /*.cgi$
Disallow: /uploads/themename /*.css$
Disallow: /uploads/themename /*.gif$
Disallow: /uploads/themename /*.gz$
Disallow: /uploads/themename /*.inc$
Disallow: /uploads/themename /*.jpg$
Disallow: /uploads/themename /*.jpeg$
Disallow: /uploads/themename /*.js$
Disallow: /uploads/themename /*.php$
Disallow: /uploads/themename /*.php*
Disallow: /uploads/themename /*.png$
Disallow: /uploads/themename /*.tpl$
Disallow: /uploads/themename /*.wmv$
Disallow: /uploads/themename /*.flv$
Disallow: /uploads/themename /*.xhtml$

Well that’s it! I hope some of these suggestions help you with your own CMSMS site.

Looking for CMS Made Simple Hosting? Look no further than Arvixe Web Hosting.

Tags: , , , , , , , | Posted under CMS Made Simple | RSS 2.0

Author Spotlight

Goran Ilic

Goran Ilic is a designer, all-rounder, husband, father, and founder of a CMS Made Simple related blog called: I do this (www.i-do-this.com). After long search for a perfect tool for his clients he has found CMSMS and devoted his passion to it.

6 Comments on Easy Steps for Securing Your CMS Made Simple Installation

  1. kenumir says:

    simple and easy to implement in existing sites and systems

  2. Birgit says:

    I especially like No. 3! 🙂

  3. Quintin says:

    Very useful info. We just recovered from a hacker attack, that was quite nasty. We are still not sure how they got in, it may have been CMS, but we are not sure…in any case, we have taken steps at all levels to prevent this from happening again, and this is one more step that will hopefully keep the bad guys out. Thanks so much for posting this info.

  4. Stoffer says:

    Brilliant and very useful article. My friend’s site (that I manage) got hacked and it took me ages to get rid of all the crap they put on there. They managed to get in with a ROOT user. I still don’t see how as I never set up a ROOT account. They deleted my friend’s user access too.
    Anyway, all sorted now and thanks again for these tips.

  5. stef says:

    Thanks for theses advices. I am novice in CMSMS .
    I’ am testing in on one site and I see that my file .htaccess is stored only on a subdirectory “doc” , not on the root . Should I copy it in the root and change acording to what you mention?

  6. Dave says:

    Good advice, this statement crashes the website, because of having the comment on the same line

    LimitRequestBody 10240000 #equals to 10MB

    Change to

    #equal to 10MB
    LimitRequestBody 10240000

Leave a Reply

Your email address will not be published. Required fields are marked *