By default, when installing CodeIgniter (CI), all the important files i.e. all files withing the application and systems folders are installed within the main web directory, that is visible to anyone. This is fine to an extent because all folders have a htaccess file that denys all incoming requests. The CodeIgniter developers did this intentionally to make things easy for people trying the framework out.
However, a much more secure method is to store the application and systems folders within the server webroot. This location is not directly accessible and helps with all around application security. Personally, I feel a lot safer knowing core files are not directly accessible. The latter is doubly as important when using a well known PHP framework, as anyone has a starting point to figure out your folder structure, simply by downloading the framework.
Here is how a typical CodeIgniter install looks on a production server:
- CodeIgniter_2.0.3 ---- application ---- system - public_html ---- assets ---- index.php ---- .htaccess
To complete the move of the core CodeIgniter files there are a couple of other small tweaks:
Open index.php, go to line 59 (CodeIgniter v 2.0.3) and change (several lines of PHP comments have been removed here for readability)
$system_path = 'system'; $application_folder = 'application';
$system_path = '../CodeIgniter-2.0.3/system'; $application_folder = '../CodeIgniter-2.0.3/application';
The latter change simply tells CodeIgniter to look for those core files in an alternative location. The absolute path to the file could have also been used.
The name of the CI directory has the following format: CodeIgniter-x.x.x, where x.x.x is the CI version. Naming directories this way allows different versions of CodeIgniter to be more easily upgraded, without affecting the current used version. For instance, CI version 2.0.4 would be placed in CodeIgniter-2.0.4 – $system_path and $application_folder would be adjusted accordingly.
The above method can be applied to any website, it doesn;t have to be CodeIgniter or a PHP Framework. For instance, say you had a vanilla PHP site that used a single configuration file and a bootsrap file – both containg lots of important settings and data. Simply place the two files within the webroot and adjust your include paths within you application pages. Another example is with third party caching systems. An application may make use of PEAR Cache Lite to Cache Arrays for example. It would be good practice to set the cache directory directly within the web root, meaning cache files are not directly accessible.
That’s it – within a couple of minutes you’ve just improved the security of your application!