OneThird CMS

Lightweight CMS for Small website, Web application framework.

Download Document


About Security

OneThird is the information for use CMS safely

For OneThird CMS operational style also together please refer

Removal of login Javascript (important)

In public page, such as the home page at option1 of Site settings

Hide the system menu with (Hide System Menu)

Hide the login function (Hide the login function) Please uncheck the

This is because it is designed to be able to log in from all pages by default in OneThird CMS

If you do not do this, not only would unnecessary javascript is incorporated in the public page

The following login plug-in change of login URL by rewriting to see the login URL of the source code can be carried out will be the Barre

Change the login URL with login plug-in rewriting

Just rewrite the login plug-in and rewrite the login URL, it will be able to protect in advance from attack

How easy, please add the following line to the plug-in file (/files/1/plugin/plugin.php)

$plugin_ar[ LOGIN_ID ] = array( // 

  'Selector' => "Login000000"   ← sufficient complexity name

, 'php' => "login"

, 'page_renderer' => "login_page"

, 'url' => true


When's the above example, the login URL is


It becomes

Login ID by shared SSL, password encryption

Only when you log in, use a shared SSL, after the login is a method to perform a normal http communication

This way, over the network ID of the non-encrypted state, it is possible to prevent the flow of passwords

Please write the URL of a shared SSL to config.php of site_ssl


$config['site_url'] = "";

$config['site_ssl'] = "";

All access to the site management screen I want to via https

All at the time of site management is a method to switch to HTTPS communication

You can use both even shared SSL even dedicated SSL

Basic - on checking the "management screen to communicate with all HTTPS (required site_ssl setting)" option 4

Please change the config.php in the following manner


if ($_SERVER["SERVER_NAME"]=="") {
	$config['site_url'] = "";
	$config['site_ssl'] = "";
	$config['files_url'] = "";
	$config['canonical'] = "";
} else {
	$config['site_url'] = "";
	$config['site_ssl'] = "";
	$config['files_url'] = "";

And improved security by IP restriction

Access control panel class installation folder / admin

It is designed to focus on

You can suppress the third party login of a malicious Applying the IP limit to this folder

For IP restrictions at the time of installation

In OneThird CMS, we will not allow the installation of SQLite

If you are installing in SQLite is, because you can one-click install without a password of DB, (Although it is a very small probability) that the user name and a password there is a possibility that is set to a third party

Quite the case of a new URL, there is no problem because there is no access, in the case of re-installation associated with the renewal, it will become in its own way of probability

Therefore, in the OneThrid, in the installation screen, and it is designed to block the access of other than from the PC you have access to the beginning (IP restrictions by .htaccess)

If the installation did not go well, please install delete the .htaccess

If, in the case of interruption is installed by access by any chance a third party will be recorded IP address to .htaccess so please back up without immediately deleted because just in case

About template deployment

In a page, you can template deployment When Komu put the template tag, but you can disable this

to config.php, $config ['disable_expand'] = true; (it is commented out by default) Please add

Google Website Translator - Google Translate