SecuritySecurity Tip
One challenge in Joomla! is to make sure that configuration.php is secure.After the standard Joomla! installation the configuration.php file is located in the public_html directory, allowing potential attackers to have direct Internet access to it. Many user and developer organizations, including Apache.org and Joomla.org, recommend to move such flies to a location outside public_html.
The following procedure ensures that configuration.php, perhaps the most confidential file of any Joomla! site, is moved out of the public_html directory.
This method protects configuration.php even if the Web server is mis-configured and somehow delivers the contents of PHP files. This procedure makes sure that nobody can see the content of the real configuration file.
This is how you do it:
A. Move configuration.php to a safe directory outside of public_html and rename it something else. For this example we will use the /jcfg directory and rename configuration.php to jconfig.conf.
B. Create a new configuration.php file in public_html containing only the following code:
<?php
require( '/jcfg/jconfig.conf' );
Make sure that there is nothing else in the file, specially ensure that thee is no "?>" tag at the end of the file.
Set the permissions of the new file to "444" ("rrr") only read access for owner, group, and world. This will protect the file for being accidentally overwritten by Joomla! .
The drawback of this method is that you cannot modify Joomla configuration from the administrator's back-end, you need to do it by editing the jconfig.conf file.
