Securing CMS Made Simple

Despite the fact that CMSMS has a good reputation in terms of safety, you can still do more to protect your website. Some examples:

   Securing the Admin panel

   Renaming the admin folder

You can open the admin panel of all default CMSMS websites at www.website.com/admin.
Changing the foldername of the admin would be good to prevent blunt force attacks.

The first step is renaming the admin folder to i.e. "myadmin658".
The second step is adding this line to your config.php file:

$config['admin_dir'] ="myadmin658";

The third step would be to change the admin name in your robots.txt file (if you use one...) in the root of the website

You must open the admin panel of your CMSMS website now at www.website.com/myadmin658

Important: Before upgrading your CMS, change the admin foldername and config.php setting back to "admin".
After the successful upgrade you can change it to your own secure name.

   Root .htaccess file

In the default website root .htaccess file which is stored for optional use in the /doc folder (htaccess.txt) there are two lines that can be used by removing the hash (#). If your webhost permit these settings please do!

# (this is important, so uncomment if your host permits)
#Options -Indexes
#ServerSignature Off
#php_value session.cookie_httponly true

   Third party modules

Third party add-on modules to secure your website:

  • Admin IP Lock
    If someone fails too many times to log in your website, his IP address will be added to a ban list
  • CGSmartImage
    Hide the websites folder hierarchy and add watermarks to the images
  • Frontendusers (and CustomContent)
    Protect your websites frontend pages

   Third party (user defined) tags

  Mail UDT

Add the following UDT to the event "LoginFailed" in the CMSMS Event Manager and you will receive an email with the used username and IP Address of the one who failed to login in your admin panel.

$to = 'your.name@website.com';
$subject  = 'Failed login: ' . $_POST['username'] . ' - ' . cms_utils::get_real_ip();
$message  = "There has been a failed login in your admin panel! \r";
$message .= "Username: " . $_POST["username"] . "\r";
$message .= "IP Address: " .cms_utils::get_real_ip() . "\r";
$headers = 'From: CMS Made Simple website.com <noreply@website.com>';

@mail($to, $subject, $message, $headers);

  Ban IP-address UDT

Add in the top of your template or page {ip_ban}.

$banned = array ("xxx.xxx.xxx.xxx","yyy.yyy.yyy.yyy","zzz.zzz.zzz.zzz");
$ipaddress = cms_utils::get_real_ip();
if (in_array($ipaddress, $banned))
   die ("You are banned from this website!");

   Using SSL (https)

To force a page to use Secure Software Layer, go to the 'options' tab when creating a new page. Check 'Use HTTPS for this page'. To make all new pages default to this setting, go to Site Admin >> Page Defaults and check 'Use HTTPS for this page'.