Disallow anyone but you, to reach the update files

With a simple addition you can dissalow anyone but you to reach update.php on your site. Off course Drupals update.php is secured and requires you to edit the file in order to update. But at that moment (no matter how short time that may be) anyone can start upgrading your site. Especially when upgrading multisites this can be dangerous: it may take two days to finish all the upgrades: two days that anyone can break any of your databases.

Just add this simple block of accessrules to the .htaccess in your Drupal root.

<FilesMatch "update.php.?">
  Order deny,allow
  Deny from all
  Allow from 12.34.56.789
</FilesMatch>

Replace 12.34.56.789 with your own IP address.

If you don’t have a static IP, you may want to make this even fancier by adding a simple htpasswd authentication for update.php. But that is left for you as homework :).

teaser proudly broken with <!—break—>

Why advertisements?

homework - something

Submitted by themegarden.org (not verified) on Sat, 06/09/2007 - 19:47.

homework - something like:

<FilesMatch “update.php.>
   AuthName “Private”
   AuthType Basic
   AuthBasicProvider file
   AuthUserFile path/to/your/htpasswd/file
   Require valid-user
</FilesMatch>

and command for adding user/passwd:
htpasswd -c path/to/your/htpasswd/file username

An advanced idea:
if apache has installed modauthmysql (modauthmysql), you can use it to auth. against your drupal database - so, for example, only drupal’s main admin (uid == 1) can access update.php

best to use rfc1918 addresses in example

Submitted by bertboerland (not verified) on Fri, 01/05/2007 - 13:03.

hence no “12.34.56.789” but 10.2.3.4

12/8 belongs to someone I have worked for :-)

webschuur.com