10 Tips for Securing Your Movable Type Installation

| 10 Comments | No TrackBacks |
After the recent hacking of PBS.org (most likely caused by a 0day exploit in an older version of Movable Type 4), it is probably a good idea to review the security of your Movable Type installation.  To help you, we compiled this list of ten security tips, with help from the engineers at Six Apart Japan.
1 Always run the latest version

This can't be stressed enough.  There aren't that many obligatory security upgrades released for Movable Type, but when they come out, do install them.  Hackers often compare updated versions of a piece of software with the previous version to spot the vulnerabilities that were fixed so they can exploit them. Stay ahead of them and update as soon as you can when a new version comes out!

2 Rename the admin script

What good is an exploit that targets the admin backend of Movable Type if the hacker can't find it?  Simply rename mt.cgi to something else ending in .cgi and then put an AdminScript directive in your Movable Type configuration file (mt-config.cgi) telling Movable Type where the admin script now lives.  Example: if you renamed your script to hackersgoaway.cgi, you should add following line to mt-config.cgi

AdminScript hackersgoaway.cgi

3. Completely hide the admin script from public access

If you run Movable Type on a webserver that you fully control, you can configure it so that the admin script is only accessible from a certain IP address or using an (extra) password using Basic Authentication, or only coming from your intranet...  If you are running an apache webserver, have a look at this: http://httpd.apache.org/docs/2.0/howto/auth.html

4. Use SSL

If you can, use SSL to connect to your admin script (and other scripts).
This will stop any hacker snooping for login information on (for example) an insecure wireless network connection.

5. Don't allow script execution in the folders where you publish your blog or website
If you are not using dynamic publishing, configure your web server not to execute any scripts in your content directory. This will prevent someone from publishing a working "hack.php" template for example.  

6. Run MT in a staging environment

If you are not using trackbacks, comments or the built-in search script, run MT within your DMZ if you have a firewalled network.  Then set up MT to publish static files to an external server using the built-in sync mechanism (see http://www.movabletype.org/documentation/appendices/config-directives/synctarget.html for more info).  The only thing visible to the outside world will be static files (.html, .css, images...) which are quite hard to hack (if it is at all possible).

7. Limit uploadable/embeddable files

If you are running an installation where the public can sign up for an account, or you don't trust all your users, limit what types of files they can upload or which domains they can embed from using following directives:

8. Disable commenter registration

Movable Type allows you to let commenters create an account on your installation so they can have a user profile, avatar etc.  If you don't need these functions, or you are happy with anonymous commenters or commenters that authenticate via OpenID, Facebook... you can switch off user registration entirely under Settings > Registration for your blog.  On the same screen you can allow a whole host of alternative authentication options.  This way, you get the benefit of letting your commenters have a fixed identity, without giving them a way to upload/post anything to your system other than comments.

9. Stick to trusted plugins

Don't just install any plugin you find on the internet.  They might contain malicious code or be written in a way that renders your installation vulnerable to hacking.  If you absolutely need the functionality provided by a plugin, make sure it comes from a reputable source and has been around for a long time so that most bugs have had time to be found and fixed.

10. Have a difficult to guess password

Obvious reallly, but many people still get stung by this one.  Also, don't reuse passwords you use elsewhere on the web: if one of these other places has their password list exposed, your site is now vulnerable too.

No TrackBacks

TrackBack URL: http://www.movabletips.com/cgi-bin/mt/mt-tb.cgi/1595


I visited multiple web pages however the audio quality for audio songs existing at this site is actually marvelous.

Hi Tube,
I think you should contact for designer who know on how to design beautifull website for mobile version. Hope help for u!

Hi there i am kavin, its my first occasion to commenting anywhere, when i
read this article i thought i could also make
comment due to this good article.

Hi there i am kavin, its my first occasion to commenting anywhere, when i
read this article i thought i could also make
comment due to this good article.

Pretty part of content. I just stumbled upon
your web site and in accession capital to assert that I
get actually enjoyed account your blog posts.
Anyway I will be subscribing in your feeds or even I success
you get entry to constantly rapidly.

Hello there I am so excited I found your webpage, I really found you
by accident, while I was browsing on Askjeeve for something else, Anyhow I
am here now and would just like to say many thanks for a
fantastic post and a all round enjoyable blog (I also love the theme/design), I don't have time to look over it all at the minute but I have book-marked it and also added in your RSS
feeds, so when I have time I will be back to read a lot more, Please do keep up the great work.

Aside from these machines, various companies manufacture numerous kinds of engraving equipments such as AKSI
produce the Cobalt series, Versa aser manufacture desktop engravinng machines and Epilog produces the fable Elite Series.
They are scaleable, which means that you can print them and
read them in changeable levels of magnification - only limited
by the resolution of the accessible printing andd imaging
methods. All you just need to click on mouse and fulfill any kind of work quite easily and efficiently.
machine, which aare a controller, a surface, and the laser.
You could choose too specialize in custom engraving on any of these materials.

One can have an engraved corporate sign displaying a logo and the company name but it
should be professionally designed.

Are the eyes of the people yoou lead "shining" or are
they simply accepting what you have to say. Methods - You might also
want to find out about the different methods and program
inclusions that are offered and see how they fit
with your overall expectations. 'In addition to their size, the strength, their athleticism and their flexibility, I also look at the intangible,
' Klenakis said. In a recent group counseling session, the group made a tremendous discovery.
Take a negative belief, situation, etc and try and look at it from another point of view.

What's interesting, but not surprising, is that the
vast majority of those who do the exercise comment on how it forced them to think about what they wanted in their
next job. Coaching needed by school going
students and they use Internet to search for reliable tuition centers.

In overcoming road blocks, you will reach a high level of
satisfaction, self-awareness, self-confidence and happiness in life.

However, people are still getting sick and being hospitalized.
The important thing to remember about your reading specialist
resume is that you want to show how qualified you are as a teacher, your work ethic,
and why you stand out from the crowd of applications districts will receive.

With good coaching, development can be observed through an individual's performance, department performance, and overall
company success.

I'm also cautious when I hear comments that some particular
treatment or philosophy has no merit for anyone. Even in cricket, one could not be successful in all types of abilities like one could be expert in fielding, other in batting, another in bowling(that
too could be fast or spin etc. See if there are ways to improve your job search and apply them for the future.
' Evaluayes outcomes usibg objective measures wherever
possible to ensure thee relationship is successful and tthe client iss achieving
their goals. Whenever you are uncomfortable, irritated, angry,
depressed, watch youu breathing pattern, it’s shnallow breathing.
Why choose a healthcare staffing agency when looking for
a job.

Leave a comment

Movable Type Help?

"Can my Movable Type issue or project be taken care of by a professional?" Yes It Can Be! Contact YesItCan.be
Powered by Movable Type 5.2.7