Download EE 2 Docs Download EE 1 Docs
ExpressionEngine

2.10.1 User Guide

Post-Installation Best Practices

ExpressionEngine’s first party files and directories in the system folder on a properly configured server are typically safe from direct HTTP access. However, for increased security in various environments, we recommend that the system folder either be renamed or moved entirely above the public site folder (commonly named public_html or referred to as simply “webroot”) and that admin.php be renamed as well.

Renaming the System Directory

This is an easily followed procedure that makes it difficult for the location of your system folder to be known.

  1. FTP to your server and change the name of the system folder to something else that is not easily guessed. For example, let’s say you’ve renamed it to dazzle.
  2. Open index.php and admin.php (both found in your site’s root) and update the name of the system directory in both files:
$system_path = './dazzle';

Note

There may also be some areas in the Control Panel where you will need to update the server path. For example:

  • Design ‣ Templates ‣ Global Preferences
  • Content ‣ Files ‣ File Upload Preferences

Moving the System Directory Above Webroot

This is a more advanced procedure that provides even better security, but is not supported in all environments.

  1. FTP to your server and move the entire system folder above webroot, but still within your user’s account folder.
  2. Open index.php and admin.php (both found in your site’s root) and update the relative path to the system directory in both files. Here’s an example:

Before

Your folder structure looked like...

.
└── public_html
    ├── admin.php
    ├── index.php
    ├── images
    ├── system
    └── themes

... with index.php and admin.php having:

$system_path = './system';

After

Now your your folder structure looks like...

.
├── public_html
|   ├── admin.php
|   ├── index.php
|   ├── images
│   └── themes
└── system

... so index.php and admin.php now have:

$system_path = '../system';

Note the extra period, indicating that the system folder is now one level up, above webroot where it cannot be directly accessed from a web browser.

Note

There may also be some areas in the Control Panel where you will need to update the server path. For example:

  • Design ‣ Templates ‣ Global Preferences
  • Content ‣ Files ‣ File Upload Preferences

Renaming admin.php

In the same way that we’ve renamed the system folder (or moved it above webroot entirely) it is recommended that you rename admin.php to something less obvious as well.

  1. FTP to your server and change the name of the admin.php file to something else that is not easily guessed. For example, let’s say you’ve renamed it to razzle.php.
  2. Open system/expressionengine/config/config.php (or whatever you have renamed the system folder to) and update the URL to the admin.php file
$config['cp_url'] = "http://example.com/razzle.php";

User Contributed Notes

Posted by: Peter Smith on 5 November 2014 11:53am
no avatar

Just did a fresh install of 2.9.2 and it’ll no longer accept # as a member profile triggering word. :(

Posted by: FiSt on 20 September 2013 2:53pm
FiSt's avatar

So, if you want to completely disable access to EE default member accounts and profiles, just put # as a member keyword trigger.

Posted by: R.K.Foster on 23 May 2012 6:14pm
R.K.Foster's avatar

You might also want to change the “member” keyword trigger that is used to access member accounts and profiles. “member” is the default. Some spam attacks use that triggering word in trying to access an Expression Engine site.

You can change the triggering word here:
Control Panel > Members > Preferences > Profile Triggering Word

You must have an EllisLab product license and have at least 50 posts to the community forums to contribute notes to the User Guide