I was wondering if the basic skeleton of web application generated by yiic tool is secure enough for big sites. On big sites I mean, lets say, up to 10.0000 visits per day. Small sites don’t call much hacker attention, like big ones.(Am I wrong?) So I was thinking about the security issues.
Maybe separate the config files, runtime, components, models and controllers under the non public folder, and the views on the public, instead of just protecting the files with a htaccess.
What do you think about it? Should I concern about It? I just got a big project and want to start right to won’t waste extra time afterwards.
Well, protecting folders using htaccess is related only to apache and therefore to the web front end of the application. If you also provide other ways to the data, let’s say FTP or maybe even some sort of restricted shell access, it might be worth separating parts of the appication that shouldn’t be accessed.
As far as I can remember, you can move the whole “protected” folder out of apache’s document root…
But to be honest: I’ve never tried it, and I think there are more important security tasks you’ll have to keep an eye on. However, it depends on what you’re planning to do.