SecuritySecurity
The SyndeoCMS team takes security very serious.This page is an effort to give a checklist on security issues
Security can be divided into several parts:
1. The program itself should be secure, we did our very best to create a secure CMS and we monitor this on a continious base.
Always use the latest version of Syndeo CMS, it can be found on sourceforge.
2. Several issues needs to be addressed at or after the installation of SyndeoCMS:
| What: | Best option | Where to check | More information |
| Content of starnet/install | delete after installation | Via ftp | See installation latest step |
| File permissions (linux) | See here | Use a FTP program like Filezilla or use SSH to go to your site. | See a very good explanation on the Wordpress site |
| File ownership (linux) | media and studentpages should have "apache" user as owner |
use telnet or SSH to go to your site | |
| register_globals in php.ini |
should be set to OFF | php.ini or ask provider | run syndeo_check.php |
| allow_url_fopen in php.ini |
should be set to OFF | php.ini or ask provider | run syndeo_check.php |
| .htaccess files for media and studentpages directory | See for an example here | Will be included in the next syndeocms version. | See a very good explanation on the Wordpress site |
| Error messages from system | Be sure to fill in your email address in the logging tool | See Tools -> Logging -> Configuration | Be sure you investigate error messages, they may indicate hackers trying to access the system. |
3. Human behaviour.
Don't forget your own users of the site, don't give them more authorizations than needed.
| What | Best option | ||
| System administrator | Normally you have only one person (maybe one for backup) which has all the rights in the system see configuration -> users here. | ||
| Admin users | These users have typically access to pagemanager, filemanager and modules. There is no need to give them access to the configuration settings of the CMS. |
||
| User names | Try to avoid user names which can be guessed easily, as "admin" or "system". | ||
| Passwords | Preferable password have 6 characters or longer and have mix with numbers and characters. If you can remember add a special character like $ , #, _ etc. | ||
| New users | If you create new users, let them change their password at the first login. | ||
| Allowable file extentions on site | Do not allow users to add file extentions which can be executed, like PHP, ASP, CGI etc. in the "Valid file extensions" table. So the "Working environment" is typically only for System administrators. |
||
If you have additions or improvements please contact us.
