Possibility to harden s9y for security reasons

[heddesheimer]

Hi,

I'd like to get my first own blog live on my website. I am a bit concerned about security because s9y ist such a big piece of software. My questions are:

1. Should i use 0.8.5 or would it be save to use 0.9 beta1?

2. Is it possible to "harden" s9y for security reasons? For example, does it make sense to delete all plugin-Skripts from the folders that I do not need?

3. Is there some sort of paranoia-plugin available? What I mean is a plugin that sends me an E-Mail each time that somebody tried to login without correct password or used false or strange parameters calling the Scripts?

Marian

[garvinhicking]

Hi!

1. Should i use 0.8.5 or would it be save to use 0.9 beta1?

If your major concern is security and not features, you should go with 0.8.5.

0.9 contains some new user privilege systems - we do think they are safe, but they are not tested as long as 0.8 has been tested yet.

2. Is it possible to "harden" s9y for security reasons? For example, does it make sense to delete all plugin-Skripts from the folders that I do not need?

Yes, that would make sense; even though our plugin files are not callable without being installed, they still offer a very, very small intrusion vector if people have access to the server.

3. Is there some sort of paranoia-plugin available? What I mean is a plugin that sends me an E-Mail each time that somebody tried to login without correct password or used false or strange parameters calling the Scripts?

Actually, no. For strange parameters you should install mod_security on your apache webserver; for wrong logins you should make your Apache log POST requests (or write up a simple PHP script)...

Best regards,
Garvin