demo
templates
install
contact
Home Install Home Help Security

Direct Install Routine Security

The Direct Install Routie uses File Transfer Protocol (FTP) to connect to your web server and install the files. All FTP transfers are inheriently insecure since passwords are always sent as plain text. While very unlikely, if someone is monitoring the data transfer, they could see your password clearly. Additionally, since the password is sent from your computer to the Contentor web site, the miniscule chance of interception is roughy doubled. In reality, the most likely people to be able to intercept and view this information have ready access to much more web space than what they might misappropriate from you.
This web site does log installations, but does NOT store your the password anywhere. The password that you enter is sent back to your computer in the form of a cookie, and that cookie is cleared once the file transfer is complete and you close your browser window.

Suggested action

To insure greatest security, change your password after the site is setup and ready to run. Always use a password that is at least 8 characters long, that is not a dictionary word, and has a mix of letters and numbers.
An alternative that is available to many people is to setup an additional user name that has FTP access to your site, and use that user name for temporary installation access. After the installation is complete, delete that user name. Consult your server documentation for details.


After Installation

First, change the editor passwords! (see http://contentor.net/index/help/setup)

Next, it is recommended that you delete "install.php", "loadsql.php" and all ".sql" files ("install.sql", "update.sql", etc.) from the /util folder. You may also want to change the file permissions of "config.inc.php" from 777 to 755 (this will prevent any configuration changes, even from within the setup system configuration).
While none of these actions is critical to the security of the site, they are prudent measures. The "install.php" routine will only operate if you cannot connect to the MySQL database.
The direct install utility has a "Secure your installation" option.