Elgg: Protecting Upgrade.php

What is upgrade.php?  Upgrade.php is a file that flushes the cache that elgg uses. It runs code and database upgrades. By default, in any regular Elgg install, anyone can run this file.  This is not good. We don’t want anyone running this file.

For that reason, I will show you how to protect this file so that only the admin is the only one allow to run it.

-First, open the file upgrade.php

-Look for this:


Below that, please add this:


And done. Now only the admin/owner of the page will be the only one that would be able to run it.

For more info about Elgg hosting solutions please visit Arvixe-Elgg Hosting

Happy Hosting!

Rodolfo Hernandez

Tags: , , , , , , , | Posted under Elgg, Security/Vulnerability | RSS 2.0

Author Spotlight

Rodolfo Hernandez

I like photography and reading books. Currently working for Arvixe as Elgg Community Liaison. Elgg Security Expert Web Security Expert CEO of UDP SW Social Web

2 Comments on Elgg: Protecting Upgrade.php

  1. Brett says:

    Flushing the cache isn’t a problem or a security concern. This is addressed at http://docs.elgg.org/wiki/Security_FAQ

    If you don’t want someone to run this file, it’s better to delete it after an upgrade, and then for your next upgrade it will be replaced by the new version.

  2. Well, it has been a security concern lately on the Elgg Community. Instead of misleading them, I decided to make this guide.

Leave a Reply

Your email address will not be published. Required fields are marked *