Concrete Configuration Best Practices

Concrete CMS now has a Configuration Best Practices documentation page which provides a checklist to help you make sure that your Concrete site is secure!

Most are Concrete CMS security hardening recommendations. We also include a few “common sense” pointers.

While we do give some suggestions for securing your webserver based on our team’s site setup checklist, the source of truth for your site’s infrastructure configuration should be the best practices documentation for whichever webserver you are using.

Concrete’s Configuration Best Practices will only get better with time!


Nice practices! it’s a good checklist, too.

1 Like


This is a long list that contains serious security requirements but also contains just best practices.

How about separate sections like “Must” “Should” “Better to consider” etc.


This is a shameless plug but a while ago I wrote an article on my blog with 8 easy ways to harden concrete’s security. It’s a non-technical article really, for beginners. But anyway, I just updated it with a link to your list (at the bottom under “Where to go from here”) and it also offers a list of a few security-related packages from the marketplace.

The article is here if anybody’s interested: 8 easy ways to harden your concrete5 website's security right now -


Not ashamed to admit that I learned a thing or two when I read that blog post a year or so ago, @mnakalay. It’s a good intro to securing a Concrete site.

1 Like

Great idea, @hissy! Next time I am overhauling this page I will do it! Thanks for the suggestion.

I read your article, @mnakalay, when we were creating this Concrete hardening page! Your article was one of the only “how to secure Concrete” sources out there and was the impetus to put out an official Config Best Practices.

1 Like

@LisaN @Myq thank you both :smiling_face: