⚠️ CRITICAL SECURITY NOTICE: Pico CMS is no longer maintained since August 2020. No security updates are available. Using Pico CMS for new projects is not recommended. Consider actively maintained alternatives like Grav CMS, Typemill, HTMLy, or Automad.
Pico CMS is a flat-file PHP CMS. The main security controls are file-level hardening and plugin/theme supply-chain control.
⚠️ No Updates Available: Pico CMS no longer receives security updates. Any vulnerabilities discovered will not be patched.
# Set directory permissions
find /var/www/picocms -type d -exec chmod 755 {} \;
# Set file permissions
find /var/www/picocms -type f -exec chmod 644 {} \;
# Config files: read-only
chmod 644 /var/www/picocms/config/config.php
# Content files: read-only
chmod 644 /var/www/picocms/content/*.md
# Set ownership
sudo chown -R www-data:www-data /var/www/picocms
Apache (.htaccess in content/ directory):
<Files "*.php">
Deny from all
</Files>
Nginx:
location ~* /content/.*\.php$ {
deny all;
}
Pico uses Twig templating. Ensure templates are secure: