Installing ExpressionEngine 6 for Security

Posted on July 26, 2021

Caroline Blaker

Installing ExpressionEngine 6 for Security Image

Install ExpressionEngine using its security features right out of the box.

This walkthrough is designed to help first-time users install ExpressionEngine on a local development environment for version control in a process that makes use of built-in security configurations; and remind seasoned users of the steps of completing both of these objectives with one effort. Our details may not match yours exactly - we will point out where your details might be different.

We will:

  • Hide ExpressionEngine below the document root so that server rules protect it from being browsed or written by the public.
  • Anonymize the name of the system directory to better protect it from one-size-fits-all attacks.
  • Anonymize our Control Panel access point to conceal our control panel from one-size-fits-all DDOS and brute force attacks.
  • Install ExpressionEngine on a vagrant/homestead server with our own naming conventions on a Mac operating system.
  • Secure ExpressionEngine from unwanted attacks before the code ever hits a live server.

Before you begin

This tutorial will be working on vagrant/homestead with a working local url. You will need a local URL that works and has access to a LAMP stack (php, database - same as what WordPress needs.) We will be working from a custom directory structure designed to conceal some components below the document root, while masking access points. This prevents the need to secure ExpressionEngine further down the line when more may be at stake, and mistakes or missteps become expensive. Keep in mind that this process can be done according to your custom naming conventions.

Here is our initial project directory structure:

project directory example
Initial project directory structure on mac OS

Easy-to-follow steps:

Download the ExpressionEngine software and place it in the "software" directory. Unzip the software.

Directory image showing unzipped ExpressionEngine software
Directory image showing unzipped ExpressionEngine software

Rename the new directory with the EE software "public" (or "docs" or "web" or anything else your ultimate host may prefer for your document root. You can change this later.)

Directory instructional image - Install ExpressionEngine
Renamed directory "ExpressionEngine6.0.6" to "public"

Next, drag and drop "public" from "software" into "deploy":

Directory instructional image - Install ExpressionEngine
"public" directory shown inside "deploy"

Your local URL (here, http://www.eetest.loc) should be mapped to your local environment's "public" directory in its place here, so double-check now that you have paths exactly right. It will reflect something like:

For Homebrew or native mac:


For vagrant/homestead:


Note: Your version control will ultimately sit in "deploy" - you will have an easier time pushing your code live matching your host's naming convention for the document root directory name, e.g. "public".

Next, drag "system" out of public and into "deploy", one level back.

Directory instructional image - Install ExpressionEngine
"system" directory in new position as sibling to "public"

Next, rename "system" anything you want. Here, we are using "ee-admin":

Directory instructional image - Install ExpressionEngine
"system" directory renamed to ee-admin, and as sibling to "public".

Next, open "index.php" and "admin.php" in "public", and make the following change near the top of each document, reflecting your personal choice of naming and the new position of the directory formerly named "system":

Old, default "./system" setting
New code setting
New "../ee-admin" reflecting the directory's new position and name

Navigate to http://eetest.loc/admin.php

You may see the following error if the above line of code does not match the position and/or spelling of your former "system" directory, and even if you have done everything right up until this point (because you don't have your database set up yet):

Your config file does not appear to be formatted correctly.
Error from partially-installed ExpressionEngine

If all is well, you should see this:

ExpressionEngine database install screen
ExpressionEngine database install screen grab

The last thing we're going to to to secure our ExpressionEngine instance on install is to rename "admin.php" to "manage.php" (or whatever-you-want.php)

Default "admin.php" control panel entry point.
Directory image - install ExpressionEngine
Customized, more secure "manage.php" control panel entry point.

Now go back to the browser and access the same page at your new filename:

Install ExpressionEngine - database screen at custom address
You should get the exact same page at your new URL

It all went well if you have the same screen.

Finish your install

Add your database credentials in this screen. Here's what ours look like in Homestead. We named our database 'eetest', and used the standard "homestead/secret" username/password combo provided by this easy to set up local environment.

ExpressonEngine database credentials in vagrant/homestead
ExpressonEngine database credentials in vagrant/homestead

Default theme - this is for member management. We skip it:

Install default theme, ExpressionEngine - unchecked
We skip installing the default theme

The next fields ask you for username and password for yourself, the new Super Admin. Add these, and agree to terms. If all goes well, you should see this screen:

ExpressionEngine login screen
Control Panel login screen

And the front-end will look like this:

Front-end of newly installed ExpressionEngine
ExpressionEngine, freshly installed home page

You're done!

Time to log in and create some fields and channels to proceed with your project.

What we did:

  • We hid ExpressionEngine below the document root so that it can run our website without being browsed or found by any entity that arrives at our website.
  • We masked our Control Panel access by changing "admin.php" to something that doesn't exist in documentation but is easily remembered by us.
  • We installed ExpressionEngine locally putting our custom naming conventions first, in a way that will publish to a server securely.

Keep in mind:

  • When setting up version control, set it up in "deploy" so that it can track both EE software and changes to the "public" directory.
  • If "public" doesn't match your chosen host's conventions, it may be easier to change your code to match your host in your code structure - just remember to change your local environment settings (Homestead.yaml in vagrant/homestead)
  • Your live server will have a different database setup. You may also want to add preferences for local, staging, and production environments that don't have to be the same, yet are governed by the same files. This instance isn't ready to be published without a multi-environment database and config set-up. This is an extra step that will have to happen before you publish to a server.

Further reading:

comments powered by Disqus