Support

Admin Tools

#19939 Allowing outside access to root directory

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 30 April 2014 11:43 CDT

user78043
 I am employing Sucuri as a web monitoring service for all of my websites. I have been trying to give them access to the root directory of my site yet I am unable to. I am sure there is something I need to do in Akeeba Admin but I am not sure what. Is there a way just to give them access but no one else?

nicholas
Akeeba Staff
Manager
No. If you open your entire folder structure to be visible from the web then everyone who can access your site over the web will be able to read every file and directory on your site. This is an extremely bad idea as far as security is concerned which is exactly why we've build .htaccess Maker and you're using to protect your site.

I find it hard to believe that Sucuri, a company which performs security scans of sites, asks you to have your entire site's structure open to the world. In fact, they can't perform a security scan over the web! If they want to scan your PHP files for security threats they needs FTPS/SFTP access to your site or some other kind of connector which allows secure transport of the contents of the PHP files (something which, for security reasons, is of course impossible to do over the web anyway!).

I would recommend consulting with Sucuri. Most likely all you need is give their tools FTP/FTPS/SFTP access to your site or install a plugin on your site. Under no circumstances should you commit security suicide by removing the .htaccess Maker protection and let your entire folder structure be accessible over the web. It won't help them with performing a security scan of your site but it will help hackers understand the structure of your site and plan an attack against it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

user78043
Hi Nicholas,

They never asked me to change anything. Part of their setup involves either giving them FTP access (which I tried and failed) or downloading their php file, putting it in the root directory and then executing the script file which will now give them the information they need,. That too failed, so just recently I temporarily disable the .htaccess file so that I can execute the Sucuri php and then I enabled the ,htaccess file to continue protection.

Just to back track a little...
I started using Admin tools back in August and just recently noticed that this website got infected. The good thing is that when I did a PHP scan, I found quite a few files that were added to the directories (many in the images directory) which I deleted. Still, the site seems to be infected so that is where I am having Sucuri scan my sites, they will also clean any infections for me instead of me spending several hours trying to figure out exactly what files are infected.

If they have issues because of me enabling the .htaccess file, I will, like you said work with them to solve this infected website.

Regards,
Steve

nicholas
Akeeba Staff
Manager
OK, now that makes more sense :)

The FTP method is one way to give them access. Using their PHP file in your site's root requires a small change in the .htaccess Maker configuration. Let's say that this file is named MyFileName.php. You need to go to Admin Tools, .htaccess Maker and add the following to the "Allow direct access to these files" area:
MyFileName.php

Then click on Save & Create .htaccess. That's it. Now you have access to this specific PHP file from outside your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

user78043
Thank you for your advice, I did exactly what you mentioned and Sucuri was able to find the affected files and clean up my website.

nicholas
Akeeba Staff
Manager
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!