About Security
OneThird is the information for use CMS safely
For OneThird CMS operational style also together please refer
Removal of login Javascript (important)
In public page, such as the home page at option1 of Site settings
Hide the system menu with (Hide System Menu)
Hide the login function (Hide the login function) Please uncheck the
This is because it is designed to be able to log in from all pages by default in OneThird CMS
If you do not do this, not only would unnecessary javascript is incorporated in the public page
The following login plug-in change of login URL by rewriting to see the login URL of the source code can be carried out will be the Barre
Change the login URL with login plug-in rewriting
Just rewrite the login plug-in and rewrite the login URL, it will be able to protect in advance from attack
How easy, please add the following line to the plug-in file (/files/1/plugin/plugin.php)
$plugin_ar[ LOGIN_ID ] = array( //
'Selector' => "Login000000" ← sufficient complexity name
, 'php' => "login"
, 'page_renderer' => "login_page"
, 'url' => true
);
When's the above example, the login URL is
http://サイトURL/login000000
It becomes
Login ID by shared SSL, password encryption
Only when you log in, use a shared SSL, after the login is a method to perform a normal http communication
This way, over the network ID of the non-encrypted state, it is possible to prevent the flow of passwords
Please write the URL of a shared SSL to config.php of site_ssl
Example:
$config['site_url'] = "http://onethird.net/";
$config['site_ssl'] = "https://x-sys.net/onethird/";
All access to the site management screen I want to via https
All at the time of site management is a method to switch to HTTPS communication
You can use both even shared SSL even dedicated SSL
Basic - on checking the "management screen to communicate with all HTTPS (required site_ssl setting)" option 4
Please change the config.php in the following manner
Example:
if ($_SERVER["SERVER_NAME"]=="x-sys.net") {
$config['site_url'] = "https://x-sys.net/onethird/";
$config['site_ssl'] = "https://x-sys.net/onethird/";
$config['files_url'] = "https://x-sys.net/onethird/files/";
$config['site']['cookie_path']='/onethird/';
$config['canonical'] = "http://onethird.net/";
} else {
$config['site_url'] = "http://onethird.net/";
$config['site_ssl'] = "https://x-sys.net/onethird/";
$config['files_url'] = "http://onethird.net/files/";
$config['site']['cookie_path']='/';
}
And improved security by IP restriction
Access control panel class installation folder / admin
It is designed to focus on
You can suppress the third party login of a malicious Applying the IP limit to this folder
For IP restrictions at the time of installation
In OneThird CMS, we will not allow the installation of SQLite
If you are installing in SQLite is, because you can one-click install without a password of DB, (Although it is a very small probability) that the user name and a password there is a possibility that is set to a third party
Quite the case of a new URL, there is no problem because there is no access, in the case of re-installation associated with the renewal, it will become in its own way of probability
Therefore, in the OneThrid, in the installation screen, and it is designed to block the access of other than from the PC you have access to the beginning (IP restrictions by .htaccess)
If the installation did not go well, please install delete the .htaccess
If, in the case of interruption is installed by access by any chance a third party will be recorded IP address to .htaccess so please back up without immediately deleted because just in case
About template deployment
In a page, you can template deployment When Komu put the template tag, but you can disable this
to config.php, $config ['disable_expand'] = true; (it is commented out by default) Please add