joomla in root or not?

[Kezz]

Hi,

I'm setting up an ecommerce shop using joomla, and I've stumbled at the first block. Do I want Joomla in the root directory or in another directory? What's the difference? :|

I've had a google around and I can't figure it out myself so I figured I'd ask the experts. Can any explanations be translated into joomla/directories for idiots style instructions?

Thanks in advance
:|

 

[FireFleur]

Generic locations would be:

/mnt/project-name/
/srv/project-name/

/var/project-name/

If you pop it in the root (/), which you can do, you can get a name clash with a system directory but it would be rare.

Often the directory chosen will be related to a partition as well.

Be aware that root can also mean joomla root, it is rare to install to /

 

[ORDERED WEB]

Hi,

I'm setting up an ecommerce shop using joomla, and I've stumbled at the first block. Do I want Joomla in the root directory or in another directory? What's the difference? :|

I've had a google around and I can't figure it out myself so I figured I'd ask the experts. Can any explanations be translated into joomla/directories for idiots style instructions?

Thanks in advance
:|

If you dont intend to do anything else major with the webspace - put it in the root. What ever you do now, adding / editing the re-write rules in a .htaccess file can resolve issues down the line, so dont worry about it, install it in the front of the domain (unless you have another package with a index.php file allready in the root, that you cant move

 

[KM-Tiger]

One reason for not putting it in the root of your webspace would be if you want visitors to see something else while you develop your Joomla site, or if you want to change it later.

Joomla won't care, as long as you can direct your webserver to serve Joomla's index.php when visitors go to your site.

 

[FireFleur]

Well root is not really advised:

http://www.pathname.com/fhs/

There is the FHS, the real issue is partitioning, normally you would keep root small.

.htaccess is also not advised

http://httpd.apache.org/docs/1.3/howto/htaccess.html

Installing to a web server root, can be problematic if any passwords or sensitive data is stored in the PHP or any file there; if the webserver subsequently gets misconfigured it can fail open and display all the code as text, including your passwords.

 

[Kezz]

ok, thanks for the replies, I'll have a go at putting it in a different directory then. don't fancy it showing my passwords, even if it is rare...

 

[edmondscommerce]

good points re security etc, however i think your joomla install is going to be in a web accessible directory regardless, the question is if its in the web root or a subdirectory of the webroot.

I would say go for the webroot every time.

Re the security issues, you can use some include files and put those outside the webroot for your passwords, but this isn't likely to be a standard feature. Not too hard to do though if you know what you are doing

 

[FireFleur]

I haven't looked at Joomla, but if that is a standard install that is a little worrying.

In fact if you use Joomla you should mention it on their forums, it is pretty well known as a security hole. They should install in and outside of the web daemon root, ( I used daemon rather than server there so people don't think it is the web server's file system root). Identifying the sensitive data and keeping that outside.

Or do a virtual directory inside of the install mapped to a joomla directory outside of docs:

/srv/httpd/docs/ -> /srv/httpd/joomla/web/

/srv/httpd/joomla/web/
/srv/httpd/joomla/config/

 

[edmondscommerce]

its probably a shared host though, not much choice usually other than shove everything in the docroot

 

[Kezz]

It is a shared host and I'm no where near close to understanding FireFleur's last post :|

 

[ozbon]

I wouldn't worry too much about FireFleur's response, Kezz - that's specific to someone having total control over their webserver setup etc.

The simple basis for your question is this :
Will you be using Joomla to manage the content of your entire site, or just one section?

If it's managing the entire site, put it in the main root of the site.
If it's only managing one section, put it in that section.

So in your case, if Joomla is only being used to manage the shop side of things, then I'd install it in /shop (or whatever the folder is).
If you want to update your entire site to be Joomla run, put it in the main directory.

 

[Subbynet]

It is a shared host and I'm no where near close to understanding FireFleur's last post :|

Its just confusing the issue tbh... Given that you're using shared hosting his advice is not really applicable.

 

[FireFleur]

Well it is a security risk, but then shared is another one.

If this is for nothing important, then no need to bother too much.

If it is something important then dedicated, and separate public from private.

 

[ozbon]

Yes, but the shared host is less likely to have a webserver suddenly get "misconfigured" so it parses .php files as .txt and thus displays them with passwords or whatever.

With Joomla (which you admit to not having used) being open-source and popular, and having been in existence for *cough* years (first as Mambo, then as Joomla) there are thousands (if not tens-of-thousands) of sites using it. Installing a web-based CMS outside the webroot is - at best - impractical, and generally makes it unusable.

However, this has gone out of the topic of the original question.

The response to the original question is the same one I put earlier on this :

If you're using Joomla to manage the entire site, put it in the root (i.e. www.site.com/ )
If you're only using it for the shop (or whatever section) put it in that section.

 

[FireFleur]

A shared server is far more likely to fail open than a dedicated.

Yes, whilst I may not have used Joomla I have used Apache going on for well over a decade, and PHP since the early days as well.

It is a security risk there is no getting away from it, what matters is the importance of the project, if it is of low importance then whatever, but if the site has to work then if Joomla doesn't have workarounds for this then avoid Joomla.

 

[jadexsoln]

I've created and installed several Joomla sites and always installed it into the web root (which is it's default).

Whilst, as mentioned there is the potential that if the server gets misconfigured it could display file listings, all the Joomla files are PHP (including the configuration files) and commence with a 'JEXEC or DIE' statement that prevents them being called and displayed directly - i.e. they have to be called in the correct context otherwise they, well die........ So the security issue mentioned is catered by standard.

So unless there is a burning need not to install it in the web root, then that's where I would place it.

Hope this helps.

 

[FireFleur]

The DIE has to be interpreted by something.

If PHP is removed from the server, then the files all get delivered as text, it is not a defence for the server being misconfigured, as the big misconfiguration is PHP itself failing and being removed.

It maybe a defence on a shared from other users trying to view source files of someone else's files on the server, that makes more sense, and then it really only stops an include from outside. And if they can include it, they can open it.

 

[jadexsoln]

Surely this applies to any system (Wordpress/Drupal etc.) though and is not an issue with Joomla per se? Joomla tells you how the server should be configured.

It's like having the best locks on your doors, then forgetting to actually close the door?

 

[FireFleur]

Well it depends how you get the configuration information in, but yes this is a common security problem.

It is more a problem for the PHP, ASP, Coldfusion lot because they tend to create a file per URL (they don't have to but most do).

Instead you should move the config, definitely username and password for database outside of the DocumentRoot. And then include it from there, it normally still has to be in a place accessible by the application or web server.

It is quite a small thing to do, and is trivial to implement, so I would be surprised this hasn't been done by Joomla in some way.

 

[Subbynet]

It is quite a small thing to do, and is trivial to implement, so I would be surprised this hasn't been done by Joomla in some way.

Yes it is possible, and I agree good practice if your shared host gives you access to non-served ("hidden") directories.

 

[edmondscommerce]

I think the reason most open source apps install entirely to teh webroot is that with so many different server configs etc its the only way they can be sure that it will install on most servers.

If you know what you are doing you can separate out the sensitive stuff to a non web root folder.

I'm not too worried if the general source code is exposed - after all it is open source

If your shared hosting server starts spitting out PHP files as text files I would quickly look to moving to a new host.

If you are concerned about security then look to host on a dedicated or virtual dedicated server.

To conclude, I would recommend as Ozbon says - if Joomla is going to be the whole site (I imagine it is) then intall it to the web root.

As said this is all a bit off topic for the OP.

As said by Ozbon - if its for the whole site (presumably it is) then install it to the web root.

 

[FireFleur]

Well shared may or may not be setup with security in mind.

A lot of ISPs seem to leave most of them pretty open.

So, if the project is important don't used share unless they offer some explanation of how they secure in a shared environment.

Joomla forums will probably have the solution for keeping sensitive information secure as I mentioned before.

But, it does boil down to how important the project is, if you keep daily backups and can afford to lose 24 hours of data, and hold no sensitive data on any third party does it matter?

 

[KM-Tiger]

Joomla forums will probably have the solution for keeping sensitive information secure ...

http://docs.joomla.org/Security_and..._confidential_files_outside_of_public_html.3F

It's open to question as to how much of a risk leaving configuration.php in the root really is, but it's noteworthy that the main reason it is in the root, is to allow Joomla to be installed in the first place.

 

[Kezz]

Ok, my site will be predominantly a shop, in the future I may want some articles, so it will be all joomla (I think- extreme newbie learning as I go). Extremely steep learning curve here...

 

[FireFleur]

If it is ecommerce and you are going to hold details of other people, then you have to secure up, and shared is often not the way.

If you hold credit card details, then there are extra rules as well so try to avoid doing that.

I would advise you build your site locally, and at the same time keep your eyes open for a good dedicated deal or perhaps a Virtual Server which will afford a bit more security.

Make the decision when you have the first iteration of the site done.

 

[KM-Tiger]

If you are going to be experimenting, then you might do well to put Joomla in a sub-directory while you work on it, and leave a holding page in the root which Google can index.

Swap over when you are ready, and if you are really paranoid .htaccess the subdirectory so that only you can see it.

 

[Kezz]

Thanks everyone, I've put a very basic HTML page in so the address doesn't just bring up an error. I've ordered a couple of books to help me get started so I'll start developing the site and decide once I've got my head around it.

 

[asonda]

Looks like you are well on the way.

All the Joomla site's I have ever done, it has always been put into the Root Directory.

If you are saving data, such as credit details etc, as mentioned before there are rules for that and you would need to look into the more advanced stuff.

One thing to mention, is once you have it all running, make sure you check back to the Joomla website and update your Joomla version whenever an update has become available, they are usually security updates.

Templates, if you use a template (as making one from scratch for a newbie, is a very long task) make sure you use one from a trusted source. Don't be tempted to shirk the £20 or however much they are and donwload an illegal copy, as some have been known to have extra code!

 

[retailworld]

Kezz - you've got your answer now, but if you hasve any queries fire me a PM and I'm sure I'll be able to point you in the right direction...