Skip to main content

Securing your new website

Essential

There are several things you MUST do to secure your new website. Please note that your site is NOT secure until you make these changes:

  • Set the file permissions for mainfile.php to 0400 (read access by the owner, only) so that it can't be modified. You may need to set this using the file manager in cPanel or via an SSH console. FTP clients may limit you to 0644.
  • Set the file permissions for trust_path/configuration/config.php to 0400 (read access by the owner, only).
  • Set the file permissions for the trust_path/database/yourdatabasefile.db to 0600 (read-write access by the owner, only). Again, you may need to set this using the file manager in cPanel or via an SSH console due to limitations on FTP clients.
  • Delete the installation folder to prevent anyone from reinstalling your your site.
  • Make a backup of the entire file structure, including the trust_path, which contains your database. A backup is the only real defence you have against something going wrong. You don't own a website until you have made a backup, stored offline!

Access to SQLite databases is controlled solely by file permissions; anyone that gets a copy of the database can read it. It is therefore critical that you set the permissions on your database file correctly. You may need to set this permission using the file manager in cPanel or via SSH, if your FTP client can’t do it.

Optional: SSL (strongly recommended)

These days it is more or less essential to encrypt connections to your site with an SSL certificate (https://). If you don’t, then your login credentials are easily captured by an evesdropper and you are also at risk of session hijacking. Fortunately, setting up SSL has recently become very easy to do and free using the Let's Encrypt facility in cPanel.

Once you have installed an SSL certificate you need to edit the TFISH_URL constant in your mainfile.php as described above, to specify https rather than http. Don't forget to change the permissions back to 0400 when you are finished.

////////////////////////////////////////////////////////////
////////// You must configure the following paths //////////
////////////////////////////////////////////////////////////
define("TFISH_ROOT_PATH", "/home/youraccount/public_html/");
define("TFISH_TRUST_PATH", "/home/youraccount/random_trust_path/");
define("TFISH_URL", "https://yoursite.com/");
////////////////////////////////////////////////////////////
//////////////////// End configuration /////////////////////
////////////////////////////////////////////////////////////

People can still access your site via http, however. So you also need to tell the webserver to force all connections to go over https. This can be done by modifying the .htaccess file in your web root (or creating one if necessary) to include the following lines:

#Force all connections over SSL
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{HTTP_HOST} ^(www\.)?yoursite\.com
RewriteRule ^(.*)$ https://yoursite.com$1 [R,L]

For more information and examples refer to forcing SSL via .htaccess or check the FAQs of your own hosting provider. If you don’t have access to Let’s Encrypt your web hosting company should be able to provide you with documentation on how to install a certificate manually.

Optional: Two factor authentication

Two factor authentication is available with Yubikey hardware tokens in OTP mode. Webauthn is in the works.

Copyright, all rights reserved.

Related

Tuskfish CMS User Manual

The user manual provides a comprehensive guide to Tuskfish CMS operations. It covers all all aspects from installation to adding and curating content, managing site security and customisation of themes. For additional information on how to customise Tuskfish please see the developer guide.