Install ExpressionEngine using its security features right out of the box.
This walkthrough is designed to help first-time users install ExpressionEngine on a local development environment for version control in a process that makes use of built-in security configurations; and remind seasoned users of the steps of completing both of installing and configuring with one effort. Our details may not match yours exactly - we will point out where your details might be different.
We will:
- Hide ExpressionEngine below the document root so that server rules protect it from being browsed or written by the public.
- Anonymize the name of the system directory to better protect it from one-size-fits-all attacks.
- Anonymize our Control Panel access point to conceal our control panel from one-size-fits-all DDOS and brute force attacks.
- Install ExpressionEngine on a vagrant/homestead server with our own naming conventions on a Mac operating system.
- Secure ExpressionEngine from unwanted attacks before the code ever hits a live server.
Before you begin
This tutorial will be working on vagrant/homestead with a working local url. You will need a local URL that works and has access to a LAMP stack (php, database - same as what WordPress needs.) We will be working from a custom directory structure designed to conceal some components below the document root, while masking access points. This prevents the need to secure ExpressionEngine further down the line when more may be at stake, and mistakes or missteps become expensive. Keep in mind that this process can be done according to your custom naming conventions.
Here is our initial project directory structure:
Easy-to-follow steps:
Download the ExpressionEngine software and place it in the "software" directory. Unzip the software.
Rename the new directory with the EE software "public" (or "docs" or "web" or anything else your ultimate host may prefer for your document root. You can change this later.)
Next, drag and drop "public" from "software" into "deploy":
Your local URL (here, http://www.eetest.loc) should be mapped to your local environment's "public" directory in its place here, so double-check now that you have paths exactly right. It will reflect something like:
For Homebrew or native mac:
/Users/you/Code/eetest/deploy/public
For vagrant/homestead:
/home/vagrant/Code/eetest/deploy/public
Note: Your version control will ultimately sit in "deploy" - you will have an easier time pushing your code live matching your host's naming convention for the document root directory name, e.g. "public".
Next, drag "system" out of public and into "deploy", one level back.
Next, rename "system" anything you want. Here, we are using "ee-admin":
Next, open "index.php" and "admin.php" in "public", and make the following change near the top of each document, reflecting your personal choice of naming and the new position of the directory formerly named "system":
Navigate to http://eetest.loc/admin.php
You may see the following error if the above line of code does not match the position and/or spelling of your former "system" directory, and even if you have done everything right up until this point (because you don't have your database set up yet):
If all is well, you should see this:
The last thing we're going to to to secure our ExpressionEngine instance on install is to rename "admin.php" to "manage.php" (or whatever-you-want.php)
Now go back to the browser and access the same page at your new filename:
It all went well if you have the same screen.
Finish your install
Add your database credentials in this screen. Here's what ours look like in Homestead. We named our database 'eetest', and used the standard "homestead/secret" username/password combo provided by this easy to set up local environment.
Default theme - this is for member management. We skip it:
The next fields ask you for username and password for yourself, the new Super Admin. Add these, and agree to terms. If all goes well, you should see this screen:
And the front-end will look like this:
You're done!
Time to log in and create some fields and channels to proceed with your project.
What we did:
- We hid ExpressionEngine below the document root so that it can run our website without being browsed or found by any entity that arrives at our website.
- We masked our Control Panel access by changing "admin.php" to something that doesn't exist in documentation but is easily remembered by us.
- We installed ExpressionEngine locally putting our custom naming conventions first, in a way that will publish to a server securely.
Keep in mind:
- When setting up version control, set it up in "deploy" so that it can track both EE software and changes to the "public" directory.
- If "public" doesn't match your chosen host's conventions, it may be easier to change your code to match your host in your code structure - just remember to change your local environment settings (Homestead.yaml in vagrant/homestead)
- Your live server will have a different database setup. You may also want to add preferences for local, staging, and production environments that don't have to be the same, yet are governed by the same files. This instance isn't ready to be published without a multi-environment database and config set-up. This is an extra step that will have to happen before you publish to a server.
Further reading:
- Installing ExpressionEngine - https://docs.expressionengine....
- Setting up vagrant/homestead - https://laravel.com/docs/8.x/h...