Joomla! Help Site - <b>J! CORE:</b> How do I move confidential files outside of public

Help Site

1.5 Template Project

The Joomla! Documentation Working Group is running a project to develop detailed reference and tutorial material on Joomla! 1.5 templates. There is a project page on the documentation wiki where you can see the work in progress and help us by contributing your knowledge.

Quicklinks

Joomla! License Details

Translations

Joomla! Developer Network

Framework Overview

API Reference

Dev Document Wiki

The Joomla! Shop presents to you a large collection of Joomla! books, as well as computer and Internet books. Purchase books in your language. This is a great way to support Joomla!

Help Site License

The Joomla! Help Site content is copyright © 2005 - 2008 by the individual contributors and can be used in accordance with the Creative Commons License, Attribution NonCommercial ShareAlike 2.5. Some parts of this website may be subject to other licenses.

Home

FAQs

J! CORE: How do I move confidential files outside of public_html?

Author(s):	Rliskey	Experience level:	Beginner
Contributors:		Joomla! version:
Date added:	Monday, 26 March 2007	Date last changed:	Wednesday, 11 July 2007

Overview

This great tip comes from a post by friesengeist.

One challenge in Joomla! is ensuring that certain PHP files in public_html containing executable code or confidential data are protected from direct Internet access.

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as Gallery2 and Apache.org strongly recommend against keeping vulnerable files and confidential data inside public_html.

The following method seems to be the simplest and most elegant way to protect read-only files that, for whatever reason, must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site.

Note: Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file.

Directions

1. Move configuration.php to a safe directory outside of public_html and rename it whatever you want. We use the name joomla.conf in this example.

2. Create a new configuration.php file containing only the following code:

<?php

require( dirname( __FILE__ ) . '/../joomla.conf' );

Important!
Do not include blank lines or any characters (including blank spaces) before the php start tag or after the php end tag. If you make this mistake, you very likely see the following error.

Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxx/public_html/configuration.php:2) in /home/xxxxx/public_html/index.php on line 250

3. Make sure the new configuration.php file is not writable, so that it can not be overwritten by the Joomla! Web admin interface.

4. If you need to change configuration settings, do so manually in the relocated joomla.conf.

Last Updated Wednesday, 11 July 2007

Tags: configuration, security

< Prev		Next >

[ Back ]

Help Site

Joomla! 1.5.x Documentation

Joomla! 1.0.x Documentation

FAQ Section

1.5 Template Project

Quicklinks

Who's Online

Help Site License