Securing ExpressionEngine Website

Best Practices To Secure Your ExpressionEngine Website

April 06, 2021Posted By: Cristopher Parmar
ExpressionEngine SecuritySecure PasswordsWebsite Permissions


Your website serves as the public face of your business, leaving a lasting impression on potential clients, customers, and various stakeholders. In a world where people increasingly turn to the internet for information, your online presence carries significant weight. When someone decides to scrutinize your website, its security is a critical factor. If your virtual portfolio falls short in security, it can lead to declining website traffic.

Consider this scenario: Your website operates at lightning speed and enjoys a high Google ranking. However, due to negligence in maintaining security measures, one day, your website crashes. This incident can result in a substantial loss of traffic, which, if your sales rely on it, can pose serious challenges.

To ensure the security of your ExpressionEngine website, it is essential to pay attention to the following key points:

  • Establish Robust Website Permissions.
  • Alter the Web Address for Administrator Login.
  • Employ SSL for Access Point Management.
  • Regularly Back Up Your Site and Maintain Separate Staging Environments.
  • Implement Strong, Secure Passwords for Administrators and Databases.
  • Consider Relocating or Modifying the System Folder or Admin URL.
  • Utilize CAPTCHAs on All Forms.
  • Eliminate Unnecessary Add-ons and Applications.

Now, let’s delve into these points to gain a comprehensive understanding of how each of them impacts the development of ExpressionEngine websites.

Enhance Website Permissions Security

Enhance Website Permission Security

Website permissions are primarily contingent on your web hosting environment, highlighting the importance of reliable ExpressionEngine hosting. It is crucial to inspect your web host settings and ensure the correct file permissions are established on your server. Typically, file permissions are configured as 644, while folder permissions are set to 777.

This practice significantly bolsters the security of the ExpressionEngine content management system. In essence, the primary goal is to limit access to non-owners.

Modify The Web Address For The Administrator Login

On ExpressionEngine’s website, the administrator holds the keys to managing vital aspects of your website, including site settings and page content. If these administrative controls were to fall into the wrong hands, it could significantly damage your site. To safeguard against this threat, it’s advisable to alter the URL or web address of the administrator page, making it less predictable.

To achieve this, you can rename the admin.php file to a name of your choice and then modify the line in the system/expressionengine/config/config.php file as shown below to match the new name of the admin.php file.

$config['cp_url'] = "http://domain.tld/newname.php"

By implementing this change, you can enhance the security of your admin URL and fortify it against potential hacker attacks.

Implement SSL For Managing Access Points

Access points can be administered through various means such as SSH, FTP, SFTP, Control Panel, and more. Your selection should align with your vision for your website and its specific requirements.

It is imperative to employ secure methods, including SSL, when accessing your website and modifying its content. Additionally, you can request enhanced security measures from your hosting server when handling site files and other content.

Safeguard Your Site: The Importance Of Regular Website Backups

Backing up your ExpressionEngine website data is among the most effective ways to ensure its security, especially when using ExpressionEngine hosting services. There are various methods to back up your data, such as creating periodic copies of your site on your local computer. You can also inquire with your server team about implementing an automated backup mechanism for your website’s content on a daily, weekly, or monthly basis.

Additionally, you can regularly utilize a “development site.” This environment mirrors your live site precisely, but any changes made there do not impact your actual website.

Why Weak Passwords Are Kryptonite To Your Database

This step is of utmost importance in safeguarding your ExpressionEngine website. It is imperative to consistently generate strong and secure passwords for the administrator, database access, and control panel.

To enhance security, it’s crucial to create passwords that incorporate a combination of uppercase and lowercase letters and special characters. Furthermore, it’s advisable to change these passwords regularly and refrain from sharing them with third-party users.

Here Are Some Examples Of Secure Passwords:

always 26 keyboard 092 pumpkin 723 baseball

2 haze spaghetti 641 tulip 182 bathtub

(You can explore other secure password examples using the Nexcess Secure Password Generator.)

Alter Or Relocate The System Folder Or Admin URL

ExpressionEngine’s system path remains consistent across various setups due to its categorization as a CMS. Consequently, after each setup, it assigns a predetermined admin path to all users, which is relatively easy for hackers to discover and access.

To safeguard against potential attacks, you can modify the name of the system folder by editing the following line in both the index.php and admin.php files:

For instance: Change this line to – $system_path = ‘.newsecurename’;

After making this adjustment in both files, rename the system folder to correspond with the new administrator path URL.

For enhanced security, consider relocating the system folder outside the webroot, making it more challenging for malicious entities to reach it. To achieve this, modify the following line in both the index.php and admin.php files and subsequently move the directory to the designated location:

For example: Alter this line to – $system_path = ‘../system’;

In the above example, the system folder is moved up one directory to access the administrator URL.

Always Use CAPTCHAs With Forms

Utilizing CAPTCHA is an effective method to fortify your website against potential attacks, particularly those involving SQL injections through forms.

CAPTCHAs also serve as an extra layer of form validation, deterring aggressive spam submissions. Users must typically read and input a generated code for each post before submitting the form. Most of the newer versions of ExpressionEngine already include CAPTCHA functionality, making its implementation straightforward.

You can integrate CAPTCHAs into various forms, such as comment forms, member registration forms, contact forms, or tell-a-friend forms. For further guidance on implementing CAPTCHAs, you can consult EllisLab.

Remove Unused Add-ons And Applications

It’s essential to maintain your website by consistently updating all ExpressionEngine add-ons and applications as needed. Additionally, ensure that you remove any redundant add-ons and applications from the site to maintain a clean and organized code and structure from the administrator’s perspective.


As an ExpressionEngine developer, these fundamental steps are essential for ensuring the security of your website. While we’ve focused on ExpressionEngine, it’s crucial to recognize that these are universal principles applicable to website security, regardless of the CMS or technology used. Take these measures to safeguard your site and enhance its visitor engagement.


What Are The Most Effective Security Measures For An ExpressionEngine Website?

How Can I Protect My ExpressionEngine Site From Common Web Threats?

What Steps Should I Take If My ExpressionEngine Site Is Compromised?

Related Blog Posts

ExpressionEngine Add-Ons

14 ExpressionEngine Add-Ons To Take Your Site To The Next Level

Content ManagementWeb Development ToolsWebsite Enhancement
tips to hire a Magento developer

Unlocking The Secrets To Hiring An Outstanding Magento Developer

Developer SecretseCommerce HiringMagento Development
The power of WooCommerce

How WooCommerce Development Services Can Change The Game Of e-Commerce?

Development ServiceseCommerce SolutionsWooCommerce Services
OptimizingeCommerce Website

10 Things To Keep In Mind For Your Online e-Commerce Store

eCommerce TipsStore OptimizationSuccess Strategies
WordPress maintenance service

6 Useful Tips To Consider For WordPress Maintenance

Website ManagementWebsite SecurityWordPress Maintenance
ExpressionEngine Plugin

A Complete Guide On Creating An ExpressionEngine Plugin

Plugin DevelopmentWeb Development TutorialWebsite Plugin Creation