In this tutorial we will show you how to secure your CMS Made Simple installation.

For some general tips on how to secure your account and website, we would advise you to check our basic security guidelines.

After you have checked our security guidelines (and, hopefully, applied at least some of them), you can additionally secure your CMS Made Simple site. By inserting a few lines into your .htaccess file you can stop many hacking attempts.These rules reject HTTP requests containing characters commonly used by exploits, but will not affect the normal functionality of your application.Here are the rules you should add to your .htaccess file:

# BEGIN Optional settings

# Turns off directory browsing
# not absolutely essential, but keeps people from snooping around without 
# needing empty index.html files everywhere
Options -Indexes

# Deny access to config.php
# This can be useful if php ever breaks or dies
# Use with caution, this may break other functions of CMSms that use a config.php
# file. This may also break other programs you have running under your CMSms
# install that use config.php. You may need to add another .htaccess file to those
# directories to specifically allow config.php.
<Files "config.php">
order allow,deny
deny from all
</Files>

# Sets your 403 error document
# not absolutely essential to have, 
# or you may already have error pages defined elsewhere
ErrorDocument 403 /forbidden403.shtml

# No sense advertising what we are running
ServerSignature Off

# END Optional Settings

# BEGIN CMSMS and Rewrite Rules
# Make sure you have Options FollowSymLinks
# and Allow on

RewriteEngine On

# Might be needed in a subdirectory
#RewriteBase /

# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http: [OR]
#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} [ [OR]
#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} ] [OR]
#OR if the URI contains a "<script>"
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) 
RewriteRule ^.*$ - [F,L] 
# END Filtering

# CMSMS Rewriting
# Set assume mod_rewrite to true in config.php and clear CMSMS cache
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
# END CMSMS

# END Rewrite rules