Joomla! is challenged with ensuring that certain PHP files in wwwroot containing executable code or confidential data are protected from direct Internet access.

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as Gallery2 and Apache.org strongly recommend against keeping vulnerable files and confidential data inside your wwwroot.

The following method seems to be the simplest and most elegant way to protect read-only files that, for whatever reason, must be stored in wwwroot. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site.

Note: Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file.

Directions

1. Move configuration.php to a safe directory such as the /db folder outside of your wwwroot and rename it whatever you want. We use the name joomla.conf in this example.

2. Create a new configuration.php file containing only the following code:

Important! Do not include blank lines or any characters (including blank spaces) before the php start tag or after the php end tag. If you make this mistake, you very likely see the following error.

Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxx/wwwroot/configuration.php:2) in /home/xxxxx/wwwroot/index.php on line 250

3. Make sure the new configuration.php file is not writable, so that it can not be overwritten by the Joomla! Web admin interface.

4. If you need to change configuration settings, do so manually in the relocated joomla.conf.

Keep in mind that after moving the configuration.php file out of the wwwroot, you will not be able to make config changes through the joomla admin panel without having to go through these steps each time. Alternatively you can manually edit the joomla.conf file from now on instead of using the joomla admin page to make configuration changes.