Securing ExpressionEngine (EE) tips and tricks

Securing ExpressionEngine (EE) tips and tricks

CodeIgniter and ExpressionEngine are proving to be popular platforms with the MVC crowd. Ethan Thomas of Green Egg Media tells us a bit about the do’s and don’ts of securing ExpressionEngine installations. Image courtesy Matthew Pennell, via flickr.


ExpressionEngine is one of the advanced web design and development tools that you can use today. With ExpressionEngine, creating highly sophisticated websites with intricate details is possible. So now you have a highly complex yet user-friendly ExpressionEngine e-commerce site for your business. But how safe is it for monetary transactions? Will your customers’ financial information and demographic information be safe on your site?

Security is one of the most important things you should consider when designing an ExpressionEngine e-commerce site for a business. In this article, we will focus on what you should do to secure your ExpressionEngine website. The idea is to make sure that your website is secure and also efficient.

Importance of Security and Performance

Security and performance are the two pillars that keep your e-commerce site running. The performance of your site also affects your bottom line directly, because poor performance or security means reduced sales.  If your e-commerce site fails to perform – if it keeps displaying errors, or is slow or is not supported by proper code, then it will not be able to retain customers for as long as needed. At the same time, if the customer is warned about security issues on your site, which their anti-virus/spyware software is likely to do, they are not coming back to your e-commerce site ever, forget shopping through it.

Security and performance are the two things that every designer should keep in mind at every stage of web design and development process. The faster your page loads, the more page views and registrations your site will get.

SSL Security SSL Security

The first thing to do to secure your ExpressionEngine website is to get an SSL certificate. Also, having a dedicated IP address for your website will ensure that the HTTP connections are secured by validating the certificate before the user can access your site. That will tell your users that the website is certified and safe to use.

Firewalls and Security Updates

One of the most important things is to use a firewall to prevent unauthorized access. Enable the firewall and also make sure that your EE is up to date. This may be a tedious process, but in any case, should be done to secure the website. In addition to that, ensure that the PHP and add-ons are also up to date.

Permissions of the Site

Another way to secure your website is to limit file permissions. The ideal approach to this is to prevent access to everyone but the owners, which means you. This can be tricky as file permissions are usually necessary for certain plug-ins and permissions denied can affect the performance of the site. Read up on the EE best security practices and also learn about how to properly configure ExpressionEngine permission and ownership for best results.

Administrator Access

Admin AccessIntrusions and unauthorized changes to the ExpressionEngine website are made possible when the miscreant gains administrator access. Keeping the address to admin pages disguised or hidden can be a great way keep out unwanted users from getting their hands on the website controls. The address you choose for your admin control pages should not be something which is easy to guess. Create an uncommon address and also keep changing it from time to time, to thwart attempts of unauthorized access.

Changes Must be Handled Carefully

Whether you have an informative site or an e-commerce site, you need to make sure that it is updated every now and then. This means that your e-commerce site has to be equipped with new plug-ins, themes and extensions that can pave way for loopholes that a hacker can take advantage of. When you make any kind of changes to the website code, care should be taken not to disturb the security measures in place.

To prevent any unauthorized access, it is best to make the changes and test them in the developmental environment and see if it gives way to any vulnerabilities. Based on that, you can make the necessary modifications or precautions when updating the live site. It is also recommended that you backup and save all your files before you make any kind of changes, significant or not, to the website.

Create a password policy

Now everyone knows how important it is to create passwords that cannot easily be guessed. Nevertheless, you should have your own password policy in place, recommending your users to create strong passwords. Ensure that your password policy highlights the following points:

  • The password created should not be a common one, for instance, it should not be your name or the name of  your family members, date of birth, car registration numbers or telephone numbers.
  • Establish complex requirements for creating a password. For instance, the passwords created by your users should have a capitalized letter, a number and a special character, and it should be of a minimum length of 8 characters or so.
  • Make it a rule to change password at regular intervals
  • Prevent users from recycling or using old passwords repeatedly
  • Protect the system folder

Protecting the path to the system folder of your ExpressionEngine site is yet another way to prevent unauthorized access. The system folder, which contains detailed and sensitive information about your site, is the hub and cannot be compromised. Once this file is in the hands of miscreants, your ExpressionEngine site is in danger.

CAPTCHAs to Complete a Process

Want to prevent unauthorized transactions from unwary customers’ accounts? Add CAPTCHAs for validating each and every transaction that takes place on our expression engine site. That way, automated transactions will be prevented. Another option is to make an OTP or a one-time password necessary for every monetary transaction that takes place on your ExpressionEngine site.

That way, even if someone hacks into your customers’ account, they will not be able to complete the unauthorized transactions successfully. Also, ensure that the customers contact information is always up to date so that the OTP and other codes that your customers need are sent to them only.