Disallow anyone but you, to reach the update files

With a simple addition you can dissalow anyone but you to reach update.php on your site. Off course Drupals update.php is secured and requires you to edit the file in order to update. But at that moment (no matter how short time that may be) anyone can start upgrading your site. Especially when upgrading multisites this can be dangerous: it may take two days to finish all the upgrades: two days that anyone can break any of your databases.

Just add this simple block of accessrules to the .htaccess in your Drupal root.

<FilesMatch "update.php.?">
  Order deny,allow
  Deny from all
  Allow from 12.34.56.789
</FilesMatch>

Replace 12.34.56.789 with your own IP address.

If you don't have a static IP, you may want to make this even fancier by adding a simple htpasswd authentication for update.php. But that is left for you as homework :).

teaser proudly broken with <!--break-->

This article was published on webschuur.com. And migrated to this blog.

in server17 drupal214 drupal214

About the author: Bèr Kessels is an experienced webdeveloper with a great passion for technology and Open Source. A golden combination to implement that technology in a good and efficient way. Follow @berkes on Twitter. Or read more about Bèr.

blog comments powered by Disqus