Securing Movable Type

Built on a solid framework of underlying technologies that lend well to creating a secure environment, Movable Type has a strong security track record. Still, we have added more features in recent versions to help you manage security even better. Through a combination of Movable Type and server environment configuration, this guide will help you make your installation as secure as possible.

Use the latest version of Movable Type

This obvious but often delayed strategy cannot be understated. Using old versions of any software exposes you to potential security issues that are now trivially discoverable by the astute marauder. Though Movable Type can be set up in such a way it is not publicly accessible, greatly mitigating attack risk, keeping the software updated should be a core piece of your security strategy.

Each version generally includes new features in addition to bug fixes and security hardening to prevent any identified issues.

For users with Movable Type 5 or earlier, we strongly advise you to upgrade to Movable Type 6.

Encrypt communication

HTTPS communication is necessary to protect from a third party being able to obtain login information and data while users work within the Movable Type interface.

Generally, you must either generate a self signed Secure Sockets Layer certificate or purchase an SSL certificate from a vendor. You could use it to specifically secure your Movable Type installation or for your entire website. Refer to your web server’s documentation for more information on enabling HTTPS.

Please also be aware of the recent vulnerabilities discovered in OpenSSL, a common SSL and Transport Layer Security implementation. You may need to upgrade your server software, obtain a new certificate or both:

• OpenSSL vulnerabilities (CVE-2014-01601PA): Information Technology Promotion Agency
• Heartbleed Bug

Use HTTP Basic Authentication

HTTP Basic Authentication is easy to implement and can help protect sensitive information. We recommend using an authorization ID and password that differs from your Movable Type username and password. This strategy is more effective when used with HTTPS.

Documentation for specific web servers:

• Apache 2.2: mod_auth_basic
• Apache 2.4: mod_auth_basic
• Nginx: ngx_http_auth_basic_module

Change CGI script names

Another strategy is to use Movable Type configuration directives to change the names of high risk CGI scripts to nonstandard names that are difficult to guess.

We recommend using the directives AdminScript and UpgradeScript to change these prominent script names to prevent third party access to the application.

Configuration directives and their related CGI Scripts

• AdminScript: main administration script
• UpgradeScript: upgrade script
• CommentScript: provides commenting functionality
• ActivityFeedScript: retrieves the activity log feed
• DataAPIScript: accesses the Data API
• CommunityScript: provides community solution functionality
• CheckScript: provides information on installation environment, including installed and missing Perl modules
• TrackbackScript: provides Trackback functionality
• AtomScript: accesses the Atom API
• SearchScript: provides search functionality
• XMLRPCScript: provides XML-RPC functionality

Disable unused scripts

Movable Type provides CGI scripts for various functions, and there are situations where some users do not need all the scripts. Security can be improved by removing execute permissions on any scripts not in use.

Also, over several Movable Type upgrades, deprecated CGI scripts for functions included in older versions remain in the directory. These can be safely removed or disabled.

Functions and related CGI scripts provided by Movable Type

• If not using Movable Type comment functions, remove execute permission for mt-comments.cgi.

• If not using trackback functions, remove execute permission for mt-tb.cgi.

• If not using Movable Type Data API functions, remove execute permission for mt-data-api.cgi.

• If not using the log feed function, remove execute permission for mt-feed.cgi.

• If not using the Movable Type search function on a published site, remove execute permission for mt-search.cgi and mt-ftsearch.cgi.

• If not using the XMLRPC function, remove execute permission for mt-xmlrpc.cgi.

• If not using the Atom API function, remove execute permission for mt-atom.cgi.

Deprecated CGI Scripts from older versions of Movable Type

• mt-add-notify.cgi
• mt-view.cgi

CGI Scripts only used during installation

• mt-wizard.cgi
• mt-upgrade.cgi (required when upgrading Movable Type or some plugins)

Use strong passwords

Accounts with passwords that are or contain common words or phrases, or are too simple can be easily hijacked. Password validation rules can ensure users create stronger passwords by enforcing certain password rules, such as a minimum password length and special symbols requirement.

Utilize the lockout function

Many brute force attacks can be prevented by using account lockout features.

By default, if a user types in the wrong password six times within a 30 minute period, or if there are 10 failed log in attempts from the same IP address, the account or IP address in question is locked out for 30 minutes. This greatly slows down a brute force attack and allows administrators to intervene.

Disable part or all of the Data API

The Data API released with Movable Type 6 can be used to retrieve information from the system. Depending on your needs, you may want to prevent outside parties from viewing certain content. To ensure only the information you want publicly accessible can be retrieved, we recommend using the DisableResourceField configuration directive.

In order to disable information retrieval by the Data API for an entire site, you can either revoke execute permissions on the Data API script, mt-data-api.cgi, or change the name of the script using DataAPIScript. We also plan to provide more options for disabling the Data API functions for specific blogs or websites in a future version of Movable Type.

Note: There also exists a plugin that can revoke Data API permissions for a single blog, but it is currently only in Japanese. See M-Logic’s website for more information on Movable Type Data API Disabler Plug-In v1.0 (JP).

Monitor logs

Along with the above tips, it is also good practice to routinely check for suspicious activity in your Movable Type activity log and other server logs, such as the access log and error log.

Managed solutions

Six Apart has partnered with the U.S. based hosting company ArckCloud to offer managed Movable Type installations. This can alleviate the hassle of maintaining a server and handling installation and upgrades. See ArckCloud’s Movable Type page to get started!