SPIP’s default security
There are two "sensitive" folders in SPIP, which are the
ecrire/data folders. The first contains all of the files which use your cache to accelerate the display of web pages, so is therefore moderately sensitive, but the second records the activity logs for SPIP (the
spip.log files) and additionally allow you to create
dump.xml backup files for the database.
dump.xml files contain very sensitive data: in particular, you can see all of the articles, even those not made visible on the public site, without forgetting all of the identifiers and passwords  of the editors and administrators of the site.
The security of all of these files is traditionally ensured using access configuration files named
.htaccess. SPIP automatically generates these files to prevent access to the sensitive data stored on the server: you can check that both the
ecrire/data folders each contain one of these
Unfortunately, these files work under Apache (the web server used to make the vast majority of the Internet’s web sites work) but not under IIS (Internet Information Services, the web server from Microsoft).
Protecting your data under IIS: one additional step
If your site has been installed on IIS, absolutely anyone can then view the folders that are supposed to be secured by
.htaccess files: so you need to protect them in another way.
To protect a folder on your site: open the administration panel for your web server, right click on the directory in question, click on "properties", and uncheck the check box labelled "Read" found on the "Directory" tab.
- The properties screen for the /tmp directory
- Uncheck the "Read" checkbox in order to protect the folder the same way that Apache would do using an .htaccess file
Perform this same operation for both of the
ecrire/data folders. If you have done it right, you should not then be able to access the files in these folders through the web server. You can test your configuration by trying to display
http://www.yoursite.com/ecrire/data/spip.log from your normal browser. You should receive a message of some kind that indicates "Access refused".