Question

I am using Magento 2.3.1 Open Source. I installed it from the .zip file in the public_html folder (I didn't know any better at the time) in my account at my web host, running on Apache.

I did the Magento Security Scan on my website, and it showed the following problem-

Your Web server is configured to run Magento from %MAGENTO_ROOT% directory. 

It is recommended to set %MAGENTO_ROOT%/pub as a Web server root directory.

In response I found my way to this page

https://devdocs.magento.com/guides/v2.3/install-gde/tutorials/change-docroot-to-pub.html

which had instructions to fix the problem, but they seem to only apply to installations that are not on shared web hosting plans.

I tried to find the files that contain the document root url through SSH-ing into the shared server just in case, but since I don't have root access it didn't show.

I contacted my hosting provider twice to change the document root for me through /var/cpanel/userdata/username/example.com, but since there is a language barrier, they told me that that was beyond their expertise, or something like that.

My site is run under https, of course, if that helps any.

I am not too security savvy with Magento, so what I want to know is, if I use the .htaccess commands below to change the document root, would they alone make my Magento installation in public_html secure?-

RewriteEngine on
RewriteBase /

RewriteCond %{REQUEST_URI} !^/pub/

RewriteCond %{HTTP_HOST} ^(www\.)?example\.

RewriteRule ^(.*)$ /pub/$1 [L]

Do I need to move/copy any Magento files from public_html to public_html/pub if I use the .htaccess commmands above, if so, which files?

If I leave the Magento files in public_html and use the rewrite commands, will that be a security problem?

Do I need to change any settings in the Magento Admin after using the rewrite commands?

Thank you very much.

Was it helpful?

Solution

Depending on your host you may be able to sort yourself.

Do you have a cpanel login?

Check this demo

https://demo.cpanel.net:2083/cpsess6663391586/frontend/paper_lantern/index.html?login=1&post_login=30734131148808

Under domains you may have the option to change your document root to /public_html/pub/

You do not need to modify any Magento files. If you have modified any files undo your changes first.

Extract the site as normal under public_html

In terms of security the site will be in the same state. That said the point in all this is to avoid visitors being able to access folders to trigger a setup wizard or browse for other vulnerabilities. Providing you lock folders down via htaccess and maintain these then your site is secure. The idea is that one folder /pub is easier to keep safe than many app/etc bin etc

https://devdocs.magento.com/guides/v2.3/install-gde/tutorials/change-docroot-to-pub.html

OTHER TIPS

In case others want to know how to do this, this is what I did, and where I put the code to make the document root change work.

I edited the .htaccess file inside of my public_html folder, and placed the needed code under this section / heading:

############################################
## you can put here your magento root folder
## path relative to web root

    #RewriteBase /magento/

This is the code that needs to go in that section for a simple rewrite. Be sure to change "example" to your domain name, that is, if your domain name is bluecar.com, you would replace "example" below with bluecar:

RewriteBase /public_html/pub

# Rewrites all URLS without pub in them
RewriteCond %{REQUEST_URI} !^/pub/

# Rewrites all URLS
RewriteCond %{HTTP_HOST} ^(www\.)?example\.

# Rewrite all those to insert /folder
RewriteRule ^(.*)$ /pub/$1 [L]

That code worked for my site to direct web browsers to the /pub folder.

I'm not very savvy with .htaccess commands, so make any needed backups if you use this code.

After I made the changes, I ran the Magento Security Scan again, and again it showed the same error. This was expected seeing how it looks for the document root line in certain files I can't get to.

But, to make sure that my .htaccess changes were indeed working (calling /pub/index.php), I edited the index.php file in the /pub folder to have it write a line of text to a file, and it did.

From all of the research that I did, this appears to be a secure approach.

All of the tests that I have done on my site since this change are positive.

I hope this helps others.

If I have made any errors / mistakes, or overlooked a security issue, please someone point them out.

Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top