Securing CMS Made Simple
Welcome to the official CMS Made Simple documentation pages. We make a continuous effort to keep the information here up to date! However, dear user, we highly value your assistance in the process.
We need your assistance to make the documentation accurate, user friendly and understandable. Therefore we welcome any tips or suggestions regarding documentation. Thank you in advance for your contribution.
However, we will not respond to technical support questions submitted using this form. If you are having difficulty with CMSMS and cannot find the solution on this website, please submit your question appropriately on our support forum at: http://forum.cmsmadesimple.org. Please remember to follow the forum rules when posting.
Despite the fact that CMSMS has a good reputation in terms of safety, you can still do more to protect your website. Some examples:
Securing the Admin panel
Renaming the admin folder
You can open the admin panel of all default CMSMS websites at www.website.com/admin.
Changing the foldername of the admin would be good to prevent blunt force attacks.
The first step is renaming the admin folder to i.e. "myadmin658".
The second step is adding this line to your config.php file:
- $config['admin_dir'] ="myadmin658";
The third step would be to change the admin name in your robots.txt file (if you use one...) in the root of the website
You must open the admin panel of your CMSMS website now at www.website.com/myadmin658
Important: Before upgrading your CMS, change the admin foldername and config.php setting back to "admin".
After the successful upgrade you can change it to your own secure name.
Root .htaccess file
In the default website root .htaccess file which is stored for optional use in the /doc folder (htaccess.txt) there are two lines that can be used by removing the hash (#). If your webhost permit these settings please do!
- # (this is important, so uncomment if your host permits)
- #Options -Indexes
- #ServerSignature Off
Third party modules
Third party add-on modules to secure your website:
- CGSmartImage
Hide the websites folder hierarchy and add watermarks to the images - Frontendusers (and CustomContent)
Protect your websites frontend pages
Third party (user defined) tags
Mail UDT
Add the following UDT to the event "LoginFailed" and you will receive an email with the used username and IP Address of the one who failed to login in your admin panel.
- $cmsmailer = cms_utils::get_module('CMSMailer');
- // Receiver
- $cmsmailer->AddAddress('admin@website.com','Name');
- // Sender
- $cmsmailer->SetFrom('noreply@website.com');
- $cmsmailer->SetFromName('CMS Website.com');
- // Subject
- $username = $_SESSION['login_user_username'];
- $ipaddress = cms_utils::get_real_ip();
- $cmsmailer->SetSubject('Failed login: ' . $username . ' ' . $ipaddress);
- // Content
- $content = 'There has been a failed login in your admin panel!';
- $cmsmailer->SetBody($content);
- $cmsmailer->IsHTML(true);
- // Send mail
- $cmsmailer->Send();
Ban IP-address UDT
Add in the top of your template or page {ip_ban}.
- $banned = array ("xxx.xxx.xxx.xxx","yyy.yyy.yyy.yyy","zzz.zzz.zzz.zzz");
- $ipaddress = cms_utils::get_real_ip();
- if (in_array($ipaddress, $banned))
- die ("You are banned from this website!");
Using SSL (https)
To force a page to use Secure Software Layer, go to the 'options' tab when creating a new page. Check 'Use HTTPS for this page'. To make all new pages default to this setting, go to Site Admin >> Page Defaults and check 'Use HTTPS for this page'.
Previous page: Language Handling in CMS Made SimpleNext page: CMS Made Simple Beginner's Guide