Those of you familiar with Aussie Interconnect will be aware how much priority we place on security - for obvious reasons I know.

A snippet of what can be added to your site is detailed below as we are intending to include this as standard in our site hosting criteria . (After testing currently under way with Joomla 2.5 this week)



(1) Add a php.ini to the root folder of your Joomla installation with the following:

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
safe_mode = 0
allow_url_fopen = 0
open_basedir = /path_to_your_site/:/tmp
register_globals = 0
allow_url_fopen = 0

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

(2) Copy the configuration.php to a new folder (with a random name, e,g, 'hg73g' above the public_html folder (or equivalent) and rename it with a totally random name and extension, e.g. hsg62.8267d. Replace the content of the configuration.php with:

<?php
require( dirname( __FILE__ ) . '/../hg73g/hsg62.8267d' );
?>

Now all the sensitive info in your config file (database details, etc) are in a folder that cannot be reached via the publicly accessible folder.

I would be interested in any critique feedback on this while we are in test mode.

Cheers to all

Nice work Shane... however.

When you say "publicly accessible folder"... how do you mean?
Yes someone can access the configuration.php file (like virtually all other files of Joomla), however with the correct permissions in place and the correct php, they can't "do" anything with the information.

It's not like you can actually see any of the information.

I've always been fascinated by the lengths some will go to "hide" what is effectively already hidden.

Looking forward to discussing this further.