Craft CMS is Yii and PHP based and uses .env secrets and Composer dependencies. Security posture depends on environment variable hygiene and control panel access restrictions.
¶ 1) Protect secrets and administrative access
- keep .env and SECURITY_KEY protected and excluded from public paths
- rotate database and API credentials through secret management
¶ 2) Control extensions and update cadence
- protect the admin panel behind MFA or SSO and IP restrictions where feasible
- apply Craft and plugin updates promptly after staging tests
¶ 3) Harden runtime and deployment perimeter
- pin Composer dependencies and run vulnerability scans in CI
- enforce read-only filesystem for production app code except required writable dirs
- Craft CMS docs: https://craftcms.com/docs
- Craft CMS source: https://github.com/craftcms/cms
Any questions?
Feel free to contact us. Find all contact information on our contact page.