How to Install CodeIgniter Within the Web Root

By default, when installing CodeIgniter (CI), all the important files i.e. all files withing the application and systems folders are installed within the main web directory, that is visible to anyone. This is fine to an extent because all folders have a htaccess file that denys all incoming requests. The CodeIgniter developers did this intentionally to make things easy for people trying the framework out.

However, a much more secure method is to store the application and systems folders within the server webroot. This location is not directly accessible and helps with all around application security. Personally, I feel a lot safer knowing core files are not directly accessible. The latter is doubly as important when using a well known PHP framework, as anyone has a starting point to figure out your folder structure, simply by downloading the framework.

Here is how a typical CodeIgniter install looks on a production server:

- CodeIgniter_2.0.3
---- application
---- system
- public_html
---- assets
---- index.php
---- .htaccess

The “public_html” directory will vary from host to host and has many names depending on the hosting setup – it is the files from which the live website is served from. The major benefit now, is the only file directly accessible is index.php. The assets folder is included in all my projects, for things such as images, css files and JavaScript. For additional security, directory browsing is disabled by means of adding the following to the main htaccess file:

Options -Indexes

To complete the move of the core CodeIgniter files there are a couple of other small tweaks:

Open index.php, go to line 59 (CodeIgniter v 2.0.3) and change (several lines of PHP comments have been removed here for readability)

$system_path = 'system';
$application_folder = 'application';

to

$system_path = '../CodeIgniter-2.0.3/system';
$application_folder = '../CodeIgniter-2.0.3/application';

The latter change simply tells CodeIgniter to look for those core files in an alternative location. The absolute path to the file could have also been used.

The name of the CI directory has the following format: CodeIgniter-x.x.x, where x.x.x is the CI version. Naming directories this way allows different versions of CodeIgniter to be more easily upgraded, without affecting the current used version. For instance, CI version 2.0.4 would be placed in CodeIgniter-2.0.4 – $system_path and $application_folder would be adjusted accordingly.

The above method can be applied to any website, it doesn;t have to be CodeIgniter or a PHP Framework. For instance, say you had a vanilla PHP site that used a single configuration file and a bootsrap file – both containg lots of important settings and data. Simply place the two files within the webroot and adjust your include paths within you application pages. Another example is with third party caching systems. An application may make use of PEAR Cache Lite to Cache Arrays for example. It would be good practice to set the cache directory directly within the web root, meaning cache files are not directly accessible.

That’s it – within a couple of minutes you’ve just improved the security of your application!

Published by

Rob Allport

Web Developer based in Stoke-on-Trent Staffordshire Google+ - Twitter

6 thoughts on “How to Install CodeIgniter Within the Web Root”

  1. This is a good article, but has little relevance. Even though people may know your directory structure CI is rock solid and directly from the web browser, people can’t mess anything up at all, as security in CI is top priority.

    1. I think saying thge article has little relevance is a little unfair 🙁

      Removing all the core CodeIgniter files to the totally inaccessible web root does have a security benefit imo. Also, it makes me feel a little better knowing all the important files are out of harms way. At the end of the day, it’s takes minutes to setup and has a huge benefit.

  2. I ave uploaded my site to public_html in web server but when i access the site the site..they say system path not set correcty..i ave not messed with anything in the index.php or naming of the sytem and application folder names..Help!!please

    1. Ah, just noticed a typo! 🙂 I updated $application_folder = ‘../CodeIgniter-2.0.3application’; to $application_folder = ‘../CodeIgniter-2.0.3/application’;

Leave a Reply

Your email address will not be published. Required fields are marked *