The website is the face of your business for prospective clients, buyers, and other stakeholders. While forming an opinion by hearsay is a common notion, tech-savvy citizens hop on to the www to find out the virtue, virtually. In one such website scrutiny, if your virtual portfolio fails in terms of security, then your website traffic may face a downfall.

Imagine if your website works at warp speed and has a great google ranking. One fine day, due to a slack in security maintenance procedures, your website crashes. This could result in a loss in a considerable amount of traffic, and if your sales depend on it, then you could have serious trouble on your hands.the security of your ExpressionEngine site we must take care of the following points;

  • Secure Website Permission.
  • Change Administrator Login Web-Address.
  • Manage Access Points Using SSL.
  • Periodic Back-up And Separate Stage Sites.
  • Create A Secure & Strong Password Of Administrator & Database.
  • Change Or Move The System Folder Or Admin URL.
  • Always Use CAPTCHAs To Forms.
  • Remove Unused Add-ons And Applications.

Now, let us discuss these points in detail to understand the implications of each one of them on ExpressionEngine development;

Secure Website Permission

Permissions mostly depend on the Web hosting environment. You must check your web host and appropriate file permissions set on your server. Normally, file permissions are set to 644, and folder permissions are set to 777

It helps improve the security of the ExpressionEngine content management system.

So generally, you need to restrict access to all non-owners.

Change Administrator Login Web-Address

In ExpressionEngine, we have an administrator that can access site settings for the entire website, page content, and other essentials. If those admin controls were to fall in the wrong hands, then it could wreak havoc on your website. To prevent that from happening, it would be ideal to change the URL or web address of the administrator page to something that isn’t easily identified.

For that, we need to rename the admin.php file to one of your choosing, then edit the line shown below in the system/expressionengine/config/config.php file to reflect the new name of the admin.php file.

“ $config[‘cp_url’] = “http://domain.tld/newname.php “

From the above change, we can change our admin URL and make secure our admin side attacks from hackers.

Manage Access Points Using SSL

You can manage your access points via SSH, FTP, SFTP, Control Panel, etc. You may choose according to the vision you have in your mind for your website or its type.

You must use secure methods with SSL for accessing your website or even during modification of its contents. Also, you can ask your Hosting server for an additional security level while accessing site files and other content.

Periodic Back-up And Separate Stage Sites

Backup is one of the best ways to secure your website’s data. You can employ different ways to backup your data, like making a copy of your site periodically on your local computer. You can also ask your server team if there is any mechanism for a periodic automatic backup of the website’s contents, like daily, weekly, or monthly.

Also, you can frequently refer to a “dev site,” this environment is an exact copy of your live site, but changes made to it do not affect your actual website.

Create A Secure & Strong Password Of Administrator & Database

This is a very important step for the security of your site. You must always create a secure and strong password for the administrator, database access, and the control panel.
You must use a combination of capital & small letters and special characters in every password. Then, to make it more secure, you must change the password regularly and never share passwords with any third party users.

Examples Of Secure Passwords



(Try the Nexcess Secure Password Generator for other examples)

Change Or Move The System Folder Or Admin URL

ExpressionEngine’s system path suggests that it is the same for all kinds of setups because it falls under the CMS category. So after every setup, it provides a predefined admin path to every user, which is easily found by hackers and access by anyone.

To prevent this attack we can change the name of the system folder, edit the line below in both the index.php file and admin.php file.

Ex: $system_path = ‘.newsecurename’;

Once this line is edited in both the above files, rename the system folder to reflect the new administrator path URL name.

To improve security, you can try to move the system folder outside the webroot which will make it difficult for malicious sources to reach you.

To move the system folder, edit the line below in both the index.php file and admin.php file, then move the directory to the specified location:

Ex: $system_path = ‘../system’;

The above example moves the system folder up one directory to access administrator URL.

Always Use CAPTCHAs With Forms

CAPTCHA is one of the best ways to secure your site from attacks via forms using SQL injections.

Also, CAPTCHAs offer additional validation to forms to prevent aggressive spamming. Before any user submits the form, they must read and enter a generated code for each of the posts. For now, most of the newer versions of ExpressionEngine include the CAPTCHA feature and require minimal effort to implement.

CAPTCHAs can be implemented on different forms like comment forms, member registration forms, and contact form or tell-a-friend forms. For additional information about implementing CAPTCHAs, you can refer to the EllisLab.

Remove Unused Add-ons And Applications

Always take care of your website and regularly update all add-ons and applications, where ever necessary. Also, remove unnecessary Add-ons and applications from the site to make it a clean code and structure from the administrator.


As an ExpressionEngine developer, these were some basic steps that we must look-after to maintain a secure website. We have discussed some aspects of the ExpressionEngine but these all are general steps to ensure security in a website developed out of any CMS or Technology.

So please check and make sure that your website is secure and increase your visitors multifold.