Yesterday marked the biggest update to Securit:ee since it's creation over a year ago. With that in mind, I'd like to go over why every ExpressionEngine site should have it installed and what it can do for you and your clients.

First though, let me say that I'd previously decided not to ever "push" Securit:ee because of the fear of creating FUD and just coming off as slimy. I know I'd personally be skeptical of someone outlining a problem I didn't know existed who also, magically, has the solution. But after discussing Securit:ee with a friend over the weekend I've come to realize it's necessary to go over the particulars of what Securit:ee does and how it can protect your ExpressionEngine site. Still, if you have any doubt, hell, even if you don't, please do your own research. Security is something every developer needs to think about all the time with every project they build and maintain.

That said, I'd like to drill this into every web developers brain; there is NO SUCH THING AS A SECURE SITE. A "secure" site is a myth. They don't exist. The closest you can get would be if you had a completely static HTML site that didn't use a web server, JavaScript, any database, or programming language that wasn't connected to the Internet and only accessed from a dumb terminal with no external media ports. And even then, if someone wanted to gain access and they had enough perseverance it's absolutely, 100%, possible. Claiming anything is "secure" is hyperbole at the highest level and anyone who claims otherwise is, frankly, making shit up.

With that in mind, there appears to be a popular opinion surrounding ExpressionEngine that all the security you need is built right into the core. Nothing could be further from the truth. Yes, ExpressionEngine goes to great lengths to provide protection against your tried and true security issues (more than any other CMS I've worked with). SQL Injection, CSRF, Remote File Inclusion, path traversal, and session hijacking are all taken into account and there are safeguards protecting a site against these types of attacks. Further, there are many configuration options available to add even more security safe guards, like login lockout, complex password requirements, XSS filtering of file uploads (though due to a long standing bug with PDF file uploads, ExpressionEngine recommends disabling XSS filtering though YOU SHOULDN'T).

And it's a good start. But that's all it is; a start. Security is an ongoing practice that doesn't stop at just those specific attack vectors and configuration values.

More, a web site isn't just ExpressionEngine (or WordPress or Joomla or any of the dozens of other CMS's available). There's the web server software (Apache), the database (MySQL), the programming language (PHP), and this is where a great many exploits come in, the myriad of programs installed on the physical server as a part of the Operating System (Linux). And before anyone think's the likelihood is minimal know that I've personally had a site compromised for running CUPS (the Linux print system). Is the site on a shared host? Then you're also at the mercy of every other site and security vulnerability within those sites (depending on how the shared hosting server is secured and setup).

These are very real concerns all web developers should be thinking about all the freaking time.

This is where Securit:ee comes in. The design for Securit:ee is built with a concept called Defense in Depth in mind to augment a site with various components designed with both preventing a site from being compromised and keeping damage to a minimum if, and when, it does become compromised.

There's the File Monitor which alerts ExpressionEngine site administrators when there are changes, and what files, to their file system. Why? Because when a site becomes compromised there are unexpected changes to the file system. This way administrators know when somethings going wrong with their site. Notice a change you don't recognize? Investigate and possibly lock down the site to prevent further destruction.

There are 2 IP Lockers; a Control Panel IP Locker and Client Side IP Locker. The IP Lockers are useful to ensure access to your site's Control Panel or Client Side only comes from authorized locations. Locking down the Control Panel is obvious, but the Client Side IP Locker is useful for when your site gets compromised. Likely the quickest way to stop an attacker would be to lock it down while your investigation is under way.

The Control Panel Login Alert is designed to send an email to whoever you setup whenever someone logs into the ExpressionEngine control panel. Why? So that a site administrator can know if, and when, an unauthorized access is happening. For example, if an attacker were to compromise an account and log into the Control Panel. Notice an unauthorized login from somewhere you don't recognize? Investigate.

The Security Scanner looks at your site and server's configuration and lets you know what to change and why. It looks at your ExpressionEngine config, your PHP setup, how your Control Panel is setup, and will even look for any cruft left over from your Version Control System (you're using one right?).

The Encryption FieldType allows you to store sensitive data in a safe and secure way. When setting it up per channel you configure what Member Groups can view the data so only those who need to view things can view things. If a user views any Channel Entries with encrypted data who shouldn't view the plain (unencrypted) data they're presented with a placeholder that you set (***** by default though it's configurable) . This is great for if, and when, your database becomes compromised.

The Forgot Password tag replaces the default ExpressionEngine Forgot Password tag that simply resets a member's password and sends it in plain text. There is NO good excuse for simply resetting a password and emailing it. Sending a password in plain text is incredibly insecure because the majoriy of website members will simply leave the password in their inbox ready for the picking. Instead, the Securit:ee Forgot Password tag sends an expiring link that directs users to set their own password. You have complete control over the email message and link expiration times so you can customize things to fit your specific needs.

Then there's the Member Group Expire. This is especially useful for when dealing with tech support and allowing temporary access to your site. Essentially, you assign Member Groups to expire and the account automatically disables itself after the time you set thus preventing support accounts from remaining active over time.

There are other modules and extensions in Securit:ee (Expiring Passwords, CP Registration Email, etc) that are all geared towards making for a secure and safe ExpressionEngine site. 

BTW, if you've been following along closely you'll have hopefully noticed a trend. There's no doubt in my mind that every site will be compromised. Every. Site. To think otherwise is to set yourself up for failure of the highest level in web development. This is what separates the amateurs from the professionals. If you take 1 thing away from this take this; if you're not paranoid about your site's security you WILL have a crazy bad day that will stick with you for the rest of your career.

Securit:ee is available for sale on either Devot:ee or CartThrob.com.