What is upgrade.php? Upgrade.php is a file that flushes the cache that elgg uses. It runs code and database upgrades. By default, in any regular Elgg install, anyone can run this file. This is not good. We don’t want anyone running this file.
For that reason, I will show you how to protect this file so that only the admin is the only one allow to run it.
-First, open the file upgrade.php
-Look for this:
“require_once”
Below that, please add this:
admin_gatekeeper();
And done. Now only the admin/owner of the page will be the only one that would be able to run it.
For more info about Elgg hosting solutions please visit Arvixe-Elgg Hosting
Happy Hosting!
Rodolfo Hernandez
Flushing the cache isn’t a problem or a security concern. This is addressed at http://docs.elgg.org/wiki/Security_FAQ
If you don’t want someone to run this file, it’s better to delete it after an upgrade, and then for your next upgrade it will be replaced by the new version.
Well, it has been a security concern lately on the Elgg Community. Instead of misleading them, I decided to make this guide.