The developers of Textpattern take system security very seriously. Let us try to put your mind at relative ease.
- Security statement
- Do your part for good security
- To modify or not modify the core for added security
- If you suspect your site has been hacked
Developers regularly audit the source code for potential ‘holes’ that people might try to exploit. Textpattern can proudly claim that for many years, no such holes in core have been reported and confirmed.
There have been, however, occasional reports of hacked Textpattern sites, but the problem usually traces to security holes in other applications (or in the web server itself), which were exploited and used to take control of the Textpattern administrator’s account. This is important to understand, because while Textpattern itself is quite secure, you can still make it vulnerable by using other technology in relation that is not as secure. There is nothing Textpattern developers can do to defend against security holes in other applications.
Do your part for good security
Textpattern developers do their part to keep core code as secure as they can. It is up to you to do the rest. There are several things you can and should do to help keep your website secure.
With regard to Textpattern installation:
- Update your installation to the latest stable release version whenever new releases are available.
- Check the Diagnostics panel for security warnings.
- Visit the Admin>Preferences panel (then the Admin subpanel) and alter both the File directory path and Temporary directory path to reference locations outside of your website’s docroot.
- Turn off the Allow PHP in article/pages settings (found in Admin>Preferences, on the Publish subpanel), unless you’re actively using those features.
- In the Admin>Preferences (Advanced options subpanel, which is hidden by default so you need to vist the Admin subpanel first and enable it) set the Number of extra parser sweeps to 0. If you find pages or plugins that don’t work as well, restore it to 1 and please notify us of any issues so we can try and address them in future versions.
- Ensure you use a very strong password for all accounts.
- Only create Textpattern user accounts for people who require them, and ensure their access level is set to only the functionality they require. Don’t just create admin-level accounts because it is easier! Each one is a potential avenue of attack if a password is compromised.
With regard to Textpattern plugins:
- Ensure you enable .htaccess security in the /path/to/your-site/textpattern/plugins directory. Textpattern ships with an .htaccess-dist file in this directory, so at the very least rename it. If you’re using Nginx or another flavour of web server, take a similar approach and clamp down read/write/execute permissions and ownership to that directory as tight as you can. This prevents plugin code from being accessed and executed directly.
- Consider moving the plugins directory outside of your website’s docroot. To do this, move the entire copntent of the plugins directory to the new location and edit your config.php file, adding a line:
- If you’re using the Plugin cache directory path (Admin>Preferences, on the Admin subpanel) then consider moving it outside of your website’s publicly-accessible docroot. This prevents development code from being executed directly. If this location is within your website’s docroot, enable an .htaccess file (or your chosen web server equivalent) to limit access permissions to the directory.
- Regularly verify the plugins you’ve uploaded and turned on are the latest versions.1
- Remove plugins you have turned off and don’t rely on anymore (you can always reinstall them if ever needed again).
With respect to other third-party software integrations:
- If you’re using other PHP or CGI applications, like a photo gallery or form mail application, make sure they are maintained and up to date.2
- Don’t leave test code or unused PHP/CGI applications on your server.
With regard to your web host or web server:
- Pay attention to security announcements from your hosting provider or server admin. Likewise, if you find your host is slow to update its provided software, contact the host admins and remind them to do it.
- If you maintain your own web server, keep it updated with security patches (if you maintain your own server, you should know that already).
Core developers have no control over the quality or security of community plugins, third-party add-ons, or modifications you might make to the core system. It’s up to you to evaluate the security of third-party code, and to make smart judgement calls about code modification.
To modify or not modify the core for added security
Textpattern developers, current and past, tell us (e.g. here, here and here) that a default installation of Textpattern is sufficiently secure for most needs. Thus changing the location of the admin login (i.e. renaming the configuration directory), or masking the identity of your Textpattern install is unwarranted, especially if your login details were wisely chosen and you follow all of the security precautions listed above.3 An exception might be if you use Textpattern in a business setting that requires something like SSL authentication, which is out of scope for this documentation.
If you suspect your site has been hacked
If you ever suspect there’s a security problem in Textpattern, do not publish any sensitive information about it. Report the security incident to core developers immediately and give them a chance to respond to the issue.
Tip: Subscribe to all the plugin author support threads for the plugins you use so you’re informed when new versions are released. This is subject to the plugin authors making announcements in those threads, of course, so not a guarantee you will be notified, but better than nothing. ↩
Odds are better that centralized platforms like Disqus, Twitter, Google Maps, and so on are safer to integrate than dubious scripts you might find on the internet. On the other hand, centralized platforms are all about tracking and exploiting you and your data for profit. Not to mention their scripts slow your site down. ↩
Contrary to masking your site’s identity, core developers appreciate when you proudly - yet subtly - declare your choice for Textpattern by using this meta tag in the
headsection of your page templates:
<meta name="generator" content="Textpattern CMS" />. ↩