PHPackages drupal-composer/drupal-paranoia - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. drupal-composer/drupal-paranoia ActiveComposer-plugin drupal-composer/drupal-paranoia =============================== Composer Plugin for improving the security of composer-based Drupal projects by moving all PHP files out of docroot. 1.1.1(4y ago)652.1M↑18.3%8[3 PRs](https://github.com/drupal-composer/drupal-paranoia/pulls)3GPL-2.0-or-laterPHPPHP >=5.4.5 Since Apr 11Pushed 4y ago10 watchersCompare [ Source](https://github.com/drupal-composer/drupal-paranoia)[ Packagist](https://packagist.org/packages/drupal-composer/drupal-paranoia)[ RSS](/packages/drupal-composer-drupal-paranoia/feed)WikiDiscussions 1.x Synced 1mo ago READMEChangelogDependencies (2)Versions (10)Used By (3) [![Packagist Downloads](https://camo.githubusercontent.com/135a661ad9ebd46666f4c5856554a085e3bbf331d5591b686b121710d27482af/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f64727570616c2d636f6d706f7365722f64727570616c2d706172616e6f69612e737667)](https://packagist.org/packages/drupal-composer/drupal-paranoia)[![Testing](https://github.com/drupal-composer/drupal-paranoia/actions/workflows/testing.yml/badge.svg)](https://github.com/drupal-composer/drupal-paranoia/actions/workflows/testing.yml) Drupal Paranoia =============== [](#drupal-paranoia) Composer plugin for improving the website security for composer-based Drupal websites by moving all **PHP files out of docroot**. Why use this Plugin? -------------------- [](#why-use-this-plugin) The critical security issue with [Coder](https://www.drupal.org/project/coder) is a good example to consider moving PHP files outside of docroot: - [SA-CONTRIB-2016-039 - Remote Code Execution](https://www.drupal.org/node/2765575) - More related links: - [Moving all PHP files out of the docroot](https://www.drupal.org/node/2767907) - [\#1672986: Option to have all php files outside of web root](https://www.drupal.org/node/1672986) Requirements ------------ [](#requirements) Except for Windows, this plugin should work on environments that have Composer support. Do you use Windows? [Help us](https://github.com/drupal-composer/drupal-paranoia/issues/5). Installation ------------ [](#installation) Make sure you have a based [drupal-composer/drupal-project](https://github.com/drupal-composer/drupal-project) project created. Rename your current docroot directory to `/app`. ``` cd drupal-project-root mv web app ``` Update the `composer.json` of your root package with the following values: ``` "extra": { "drupal-paranoia": { "app-dir": "app", "web-dir": "web" }, "installer-paths": { "app/core": ["type:drupal-core"], "app/libraries/{$name}": ["type:drupal-library"], "app/modules/contrib/{$name}": ["type:drupal-module"], "app/profiles/contrib/{$name}": ["type:drupal-profile"], "app/themes/contrib/{$name}": ["type:drupal-theme"], "drush/contrib/{$name}": ["type:drupal-drush"] } } ``` Explaining: - **/app** folder: Drupal full installation. - **/web** folder: Will contain only symlinks of the assets files and PHP stub files (index.php, install.php, etc) from the `/app` folder. Use `composer require ...` to install this Plugin on your project. ``` composer require drupal-composer/drupal-paranoia:~1 ``` Done! The plugin and the new docroot are now installed. ### Asset file types [](#asset-file-types) The asset files are symlinked from `/app` to `/web` folder. Default asset file types are provided by the plugin: ``` robots.txt .htaccess *.css *.eot *.ico *.gif *.jpeg *.jpg *.js *.map *.otf *.png *.svg *.ttf *.woff *.woff2 ``` To extend the list of assets file types you can use the `asset-files` config: ``` "extra": { "drupal-paranoia": { "app-dir": "app", "web-dir": "web", "asset-files": [ "somefile.txt", "*.md" ] }, "..." } ``` If you need to modify the list you can use the `post-drupal-set-asset-file-types` event: ``` "scripts": { "post-drupal-set-asset-file-types": [ "DrupalProject\\composer\\ScriptHandler::setAssetFileTypes" ], "..." }, ``` ```