Security & Privacy¶
Control Panel Location:
This section of the Control Panel allows you to define the basic security-related settings for your website. These are security settings that apply throughout the website/system.
- Access settings: General Settings
- CP session type
- Website Session type
- Send cookies over HTTP only?
- Send cookies securely?
- Require user consent to set cookies?
- Allow members to change username?
- Minimum username length
- Allow multiple logins?
- Require user agent and IP for login?
- Enable password lock out?
- Password lock out interval
- Require secure passwords?
- Minimum password length
- Allow dictionary words in passwords?
- Dictionary file
- Deny duplicate data?
- Require user agent and IP for posting?
- Apply XSS filtering?
- Enable Rank Denial to submitted links?
- Force redirect confirmation on submitted links?
- Cookies and session ID: Both cookies and URL session ID parameters are used to track the admin user. This is the most secure setting since it relies on two individual cookies and a URL session ID.
- Cookies only: Only cookies are used to track the admin user. When this setting is used a “remember me” checkbox will appear next to the Control Panel login page, enabling users to stay permanently logged in.
- Session ID only: Only URL session IDs are used to track the admin user. This option should only be used if your desktop computer prevents you from accepting cookies in the event you are behind a firewall or due to some other technical issue.
- Cookies and session ID: Both cookies and URL session ID parameters are used to track the user throughout their visit.
- Cookies only: Only cookies are used to track the user throughout their visit. This is the default setting, and generally the best option since it prevents URLs from showing session IDs.
- Session ID only: Only URL session IDs are used to track the user throughout their visit.
Optionally specify a domain the cookie is available to. By default, the
exact hostname of the requested page is set as the cookie domain. For
example, if the page at
is loaded and the cookie domain is left blank in ExpressionEngine’s
configuration, the browser will use
www.example.com as the cookie
domain. The browser will only make these cookies available when the
page’s hostname is exactly
If the cookie domain is explicitly specified, however, the browser will
make the cookie available whenever the requested page’s hostname
contains the cookie domain. For example, setting the cookie domain to
.example.com will ensure the cookie is shared whenever the requested
page’s hostname includes
blog.example.com, and so on.
If you’re running multiple subdomains on a single ExpressionEngine installation and want member sessions to be valid across all subdomains, you should explicitly set the cookie domain.
There’s an important difference between
.example.com. When the cookie domain begins with a dot, browsers
match any hostname that includes the cookie domain. Without the
dot prefix, browsers are looking for an exact hostname match in the
URL, which means cookies will not be available to subdomains. A
cookie set by PHP with an explicitly specified cookie domain will
always include the dot prefix, whether or not one is included in
this ExpressionEngine setting. For clarity’s sake, the examples here
include a leading dot when the cookie domain is being explicitly
Browsers will not save cookies if the specified cookie domain
isn’t included in the request’s hostname. In other words, a site can
only set cookies for
.example.com if its hostname actually
Optionally specify a cookie path. When a cookie path is set, the browser
will only share cookies with ExpressionEngine when the beginning of the
URL path matches the cookie path. For example, if the cookie path is set
/blog/, a cookie for the domain
example.com will only be sent
by the browser if the URL begins with
can be useful if you have ExpressionEngine installed in a sub-directory
and want to ensure that only that particular installation has access to
the cookies it sets.
Specify a prefix for the cookie name set by ExpressionEngine. This protects against collisions from separate ExpressionEngine installations on the same cookie domain.
As the name suggests, this setting determines whether or not members are allowed to change their own usernames after registration. (Members will always be able to change their own screen names.)
You may specify the minimum length required for a member username during new member registration. Specify the minimum number of characters required.
Set whether an account can have multiple active sessions at one time.
This feature is incompatible with the “Cookies Only” session type.
If this preference is set to “Yes”, then users will not be able to log in unless their browser (or other access device) correctly supplies their IP address and User Agent (browser) information. Having this set to “Yes” can help prevent hackers from logging in using direct socket connections or from trying to access the system with a masked IP address.
When this preference is set to “Yes”, the system will lock a member account if more than four invalid login attempts are made within a specified time period (see next setting). This preference is designed to deter hackers from using collision attacks to guess poorly chosen passwords. The account remains locked for the duration of the time period. Once the period expires it becomes unlocked.
This setting is used together with the previous preference. Here you can determine, in minutes, the time interval over which more than four invalid login attempts will trigger a lockout. You may use decimals to indicate fractions of a minute: e.g. 1.5 equals one and a half minutes.
If this preference is set to “Yes”, then users will be required to choose a minimally “secure” password. In this case, a password containing at least one uppercase character, one lowercase character, and one numeric character. Passwords that follow this basic formula are much more difficult to guess.
You may specify the minimum length required for a member password during new member registration. Specify the minimum number of characters required. It is common practice to require passwords at least eight (8) characters long.
Set whether words commonly found in the dictionary can be used as passwords. Disabling will make “dictionary attacks” by hackers much more difficult.
In order to be able to use this setting you must have a dictionary file installed.
This is the filename of the dictionary file used for the previous
preference. Download the dictionary file, unzip, and upload
the text file (
Enter only the filename of the file (
dictionary.txt) in this
This option prevents data submitted by users (such as comments) from being processed if it is an exact duplicate of data that already exists. This setting is designed to deter automated spam attacks as well as multiple accidental submissions.
Similar to the previous setting, when turned on, this setting requires IP address and user agent information to be supplied when submitting comments.