Security
As of Elgg 3.0 several hardening settings have been added to Elgg. You can enable/disable these settings as you like.
Contents
Upgrade protection
The URL of http://your-elgg-site.com/upgrade.php can be protected by a unique token. This will prevent random users from being able to run this file. The token is not needed for logged in site administrators.
Cron protection
The URLs of the cron can be protected by a unique token. This will prevent random users from being able to run the cron. The token is not needed when running the cron from the commandline of the server.
Disable password autocomplete
Data entered in these fields will be cached by the browser. An attacker who can access the victim’s browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals. If you disable this, password management tools can no longer autofill these fields. The support for the autocomplete attribute can be browser specific.
Email address change requires password
When a user wishes to change their email address associated with their account, they need to also supply their current password.
Email address change requires confirmation
When a user wishes to change their email address associated with their account, they need to confirm the new email address. This is done by sending an email to the new address with a validation link. After clicking this link the new email address will be used.
Session bound icons
Entity icons can be session bound by default. This means the URLs generated also contain information about the current session. Having icons session bound makes icon urls not shareable between sessions. The side effect is that caching of these urls will only help the active session.
Notification to site administrators
When a new site administrator is added or when a site administrator is removed all the site administrators get a notification about this action.
Notifications to user
Site administrator
When the site administrator role is added to or removed from the account, send a notification to the user whos account this is affecting.
(Un)ban
When the account of a user gets banned or unbanned, let the affected user know about this action.
Minimal username length
You can configure the minimal length the username should have upon registration of a user.
Minimal password requirements
You can configure several requirements for new passwords of the users
length: the password should be at least x characters long
lower case: minimal number of lower case (a-z) characters in the password
upper case: minimal number of upper case (A-Z) characters in the password
numbers: minimal number of numbers (0-9) characters in the password
specials: minimal number of special (like !@#$%^&*(), etc.) characters in the password
.htaccess file access hardening
In the .htaccess file a set of file access hardening rules have been added to prevent direct access to files in certain folders. Enabling these rules shouldn’t cause any issues when all the plugins you use follow the Elgg coding guidelines.
Examples of the rules are:
the
vendor
folder. This folder only contains helper libraries that Elgg uses and there is no need for direct access to this folder. All required dependecies are loaded from within Elggthe
languages
folder. This folder contains the main Elgg language files. These files are loaded from within Elgg