Secure the Back End of Movable Type 4 (or 5): SSL and Mod Rewrite
In a default Movable Type installation, you access the administrative and authoring back end over HTTP - i.e. port 80, unsecure, and anyone with an interest and the necessary tools - and who happens to be sitting on the path taken by your data between the server and you - can see your username, password, and other information.
Doing something about this is fortunately quite easy, provided you have at least some control over your hosting environment. As a starting point, I'm assume the following:
- Your web server is enabled for secure HTTPS connections over port 443 as well as unsecure HTTP connections over port 80.
- You may or may not have an SSL certificate purchased from a vendor such as VeriSign. For your purposes here you can use a self-signed certificate. That will give you an warning message when you access the site, but the connection is just as secure as if you used a purchased certificate.
- You are running an Apache httpd server with mod_rewrite enabled.
- The Apache configuration allows you to use .htaccess files to place directives in specific directories of your site (i.e. the AllowOverride directives are not set to be overly restrictive).
What you want to do first of all is pretty simple: use mod_rewrite directives to redirect unsecure HTTP traffic to the back-end of your Movable Type installation to HTTPS. A installation typically looks something like this:
Back End: /var/www/cgi-bin/ /var/www/cgi-bin/mt Front End: /var/www/html /var/www/html/mt-static
The /cgi-bin directory may be in any one of a number of other places (such as being a subfolder of /html), but regardless your installation is split between the contents of /cgi-bin and the contents of /html. The Movable Type code is largely contained within /cgi-bin/mt and /html/mt-static.
Now create /var/www/.htaccess and put the following directives into it:
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteCond %{HTTP_HOST} !^www.example.com$ RewriteRule ^(.*) http://www.example.com/$1 [L,R=301] RewriteCond %{SERVER_PORT} 443 RewriteCond %{HTTP_HOST} !^www.example.com$ RewriteRule ^(.*) https://www.example.com/$1 [L,R=301] RewriteCond %{SERVER_PORT} 80 RewriteRule ^cgi-bin/mt/mt.cgi(.*) https://www.example.com/cgi-bin/mt/mt.cgi$1 [L]
These lines tell the server to ensure that (a) all requests to the site are on the www.example.com domain, and (b) all non-secure HTTP requests to the main Movable Type back end URL are redirected to secure HTTPS requests. We could have issued a more blanket directive to redirect all /cgi-bin/* URLS, but there are a number of /cgi-bin/mt/*.cgi files that are accessed by visitors to the website - such as mt-comments.cgi. If you are using a self-signed SSL certificate, you don't want those visitors to see the warning messages it generates.
99.9% of the time you will be coming to /cgi-bin/mt/mt.cgi first of all when you enter the back-end of your Movable Type blog. So this should do.
Now you will have to make a couple of alterations to your /cgi-bin/mt/mt-config.cgi file. The CGIPath configuration parameters for the admin and the front end of the blog must be different, and the StaticWebPath must be a relative URL - as below:
# The CGIPath is the URL to your Movable Type directory AdminCGIPath https://www.example.com/cgi-bin/mt/ CGIPath http://www.example.com/cgi-bin/mt/ # The StaticWebPath is the URL to your mt-static directory # Note: Check the installation documentation to find out # whether this is required for your environment. If it is not, # simply remove it or comment out the line by prepending a "#". StaticWebPath /mt-static/
Omitting either of these changes will cause a variety of issues such as the edit form form pages showing up blank or warning messages about unsecure content.
Lastly, you should completely remove the Zemanta plugin - delete the folder /cgi-bin/mt/plugins/zemanta. Whether or not the Zemanta functionality is disabled it will still make a non-secure HTTP request for its script from administration pages, so it must go.
So there you have it - quick and simple.