I'm new to Silverstripe and have come via the Joomla => WordPress route. Whenever I built a site previously I had a list of tweaks I would do to make sure it was locked down and secure, including installing a firewall plugin/extension.

I've done a couple of basic sites now and I'm just wondering if there is anything I should be doing to "harden" silverstripe. I did find the security page in the docs but it seemed to be more aimed at the deeper coding level - at this stage I'm still only really up to the V part of MVC.

I think the key one is not to leave your site in dev or test mode once you get it on to the production server.

Are you using _ss_environment.php files for your database credentials? If not they are super handy and worth reading up on... http://beta.docs.silverstripe.org/en/getting_started/environment_management/

Thanks Cam - I've looked into _ss_environment.php files. It seems to be of use when you are working on multiple installations, and you want to set a system-wide base configuration. Is there a security benefit to it? Maybe to get the database credentials into a higher level, less accessible file?

I've also been looking into limiting login attempts but it looks like this involves editing a file in the framework section, which I would rather not touch at this stage.

Cheers, Alan

Ah.. it seems like limiting login attempts is actually a standard feature. I just tried numerous wrong passwords and after about a dozen tries I got this message.

"Your account has been temporarily disabled because of too many failed attempts at logging in. Please try again in 15 minutes."

Excellent!

You can also set password strength requirements if you need to (or if the client is asking for them). These the setting we using on the New Zealand Government Common Web Platform configuration file:

// Configure password strength requirements
$pwdValidator = new PasswordValidator();
$pwdValidator->minLength(8);
$pwdValidator->checkHistoricalPasswords(6);
$pwdValidator->characterStrength(3, array("lowercase", "uppercase", "digits", "punctuation"));
Member::set_password_validator($pwdValidator);

Thanks Cam - that's useful.

In case anyone else is interested, the login attempt settings can be found in framework/security/member.php

/**
* @config
* @var Int Number of incorrect logins after which
* the user is blocked from further attempts for the timespan
* defined in {@link $lock_out_delay_mins}.
*/
private static $lock_out_after_incorrect_logins = 10;

/**
* @config
* @var integer Minutes of enforced lockout after incorrect password attempts.
* Only applies if {@link $lock_out_after_incorrect_logins} greater than 0.
*/
private static $lock_out_delay_mins = 15;

You can also set these via the .yml configuration (as you really shouldn't hack the core files of the framework... as a rule ;) ).

So for example in your mysite/_config/config.yml you can add:

Member:
  lock_out_after_incorrect_logins: 5
  lock_out_delay_mins: 60

Remember to use spaces for indenting yml AND make sure to flush after editing the yml config file.

Wonderful.. thanks Cam. I was wondering about that. Just what I needed to know. So much to learn about.
Cheers... (and Happy New Year!)
Alan