Composer plugin for improving the website security for composer-based Drupal projects by moving all PHP files out of docroot, for Acquia environments.
This plugin has the dependency of the drupal-paranoia plugin, performing additional installation steps to run the paranoia mode on Acquia Cloud environments.
Would like to know more about it?
- https://github.com/drupal-composer/drupal-paranoia
- Moving all PHP files out of the docroot
- #1672986: Option to have all php files outside of web root
- Remote Code Execution - SA-CONTRIB-2016-039
- https://twitter.com/drupalsecurity/status/753263548458004480
Make sure you have a drupal-composer/drupal-project-based project created.
Rename your Acquia repo docroot directory to app.
mv docroot app
Update the composer.json of your root package with the following changes:
"extra": {
    "installer-paths": {
        "app/core": ["type:drupal-core"],
        "app/libraries/{$name}": ["type:drupal-library"],
        "app/modules/contrib/{$name}": ["type:drupal-module"],
        "app/profiles/contrib/{$name}": ["type:drupal-profile"],
        "app/themes/contrib/{$name}": ["type:drupal-theme"],
        "drush/contrib/{$name}": ["type:drupal-drush"]
    },
    "drupal-paranoia": {
        "app-dir": "app",
        "web-dir": "docroot"
    }
    "..."
}Use composer require ... to install this Plugin on your project.
composer require jkribeiro/drupal-composer-paranoia-acquia:~1
Run the following commands to make sure that the new folders are installed:
composer drupal:paranoia
composer drupal:paranoia-acquia
Done! Plugin and new docroot are now installed.
Your project now is basically structured on two folders.
- app: Contains the files and folders of the full Drupal installation.
- docroot: Contains only the symlinks of the assets files and the PHP stub files from the appfolder.
Every time that you install or update a Drupal package via Composer, the docroot folder is automatically recreated.
If necessary, you can rebuild it manually, running the command
composer drupal:paranoia
This could be necessary when updating themes images, CSS and JS files.
Last step is to commit and push the changes to Acquia Cloud git repository.