CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • How have you secured your civiccrm-settings.php file?
Pages: [1]

Author Topic: How have you secured your civiccrm-settings.php file?  (Read 816 times)

omojesu

  • I’m new here
  • *
  • Posts: 9
  • Karma: 0
How have you secured your civiccrm-settings.php file?
September 20, 2012, 10:37:15 pm
Apologies if this is the wrong thread to ask this question, I couldn't see any of the threads dedicated to security, so I am posting here. I noticed that the civiccrm.settings.php file contains important database info. How does one secure it on the server? With most CMS (like Joomla, Drupal, Wordpress) where CivicCRM resides, the configuration files can be moved outside of the root folder away from malicious eyes. What is the implication of moving the this important file away from the CivicCRM folder to somewhere inaccessible via Http call? If it can be moved, what files will need to be modified that references the civiccrm-settings.php file?

Thanks

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: How have you secured your civiccrm-settings.php file?
September 21, 2012, 05:33:41 am
Quote from: omojesu on September 20, 2012, 10:37:15 pm
With most CMS (like Joomla, Drupal, Wordpress) where CivicCRM resides, the configuration files can be moved outside of the root folder away from malicious eyes.

I'm not sure what you mean, at least with regard to Drupal. I am not aware of any way to move the Drupal settings.php file away from a sites/* location. The CiviCRM settings file goes in the same location (for Drupal) and can be set to be as secure as the Drupal file. See here http://drupal.org/documentation/install/settings-file for suggested server settings.
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.

omojesu

  • I’m new here
  • *
  • Posts: 9
  • Karma: 0
Re: How have you secured your civiccrm-settings.php file?
September 21, 2012, 10:01:43 am
Ok, if not in Drupal, you can for joomla. The concern is that the civiccrm.settings.php files contains the database user and pwd info. Anyone can access that information from the ftp. That opens the site up for intrusions by hackers. I think this should be a huge concern for everyone using CivicCRM.

CiviTeacher.com

  • I live on this forum
  • *****
  • Posts: 1282
  • Karma: 118
    • CiviTeacher
  • CiviCRM version: 3.4 - 4.5
  • CMS version: Drupal 6&7, Wordpress
  • MySQL version: 5.1 - 5.5
  • PHP version: 5.2 - 5.4
Re: How have you secured your civiccrm-settings.php file?
September 21, 2012, 12:12:47 pm
FTP is a huge concern in general.  If you are this concerned about hackers, why do you have FTP enabled?  If someone has FTP access, they can not only read your files, they can delete every file on your site.  Turn off FTP.  Allow access to your site only through SFTP or SSH using a public/private key pair.
« Last Edit: September 21, 2012, 12:14:32 pm by Stoob »
Try CiviTeacher: the online video tutorial CiviCRM learning library.

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: How have you secured your civiccrm-settings.php file?
September 22, 2012, 11:31:18 am
Quote from: omojesu on September 21, 2012, 10:01:43 am
Anyone can access that information from the ftp. That opens the site up for intrusions by hackers. I think this should be a huge concern for everyone using CivicCRM.

Sir, first of all if this was a serious security concern, then it would be not be just "a huge concern for everyone using CivicCRM" it would be "a huge concern for everyone using Drupal" as CiviCRM in Drupal is just as secure as Drupal itself, when run in Drupal.

Secondly, anyone with a bit of PHP knowledge and FTP access to your Joomla site can retrieve your database credentials in a matter of minutes no matter where the config file is, so in reality putting your Joomla config file elsewhere doesn't actually provide much protection if a hacker has FTP access to your account.
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • How have you secured your civiccrm-settings.php file?

This forum was archived on 2017-11-26.