There isn't an official stance on securing Evolution to my knowledge, however the old method for the most part should still apply. If we come up with a newer list I don't mind adding it to the docs.
I'm inclined to suggest the following practices:
Pre-Server Protection: CloudFlare (cloudflare.com)
Server Protection:
Apache Configuration: suPHP or FastCGI with suExec
Additional: mod_security and suhosin
File/Folder Permissions: 644/755 (suPHP/FastCGI with suExec)
Post Install: /manager/includes/config.inc.php to 600
.htaccess:
# burp in response to malicious scripts
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) [NC]
RewriteRule ^(.*)$ 404-burp? [R,L]
Source:
http://www.phpfreaks.com/tutorial/preventing-remote-file-include-attacks-with-mod-rewrite
#first, block bad bots
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* - [F,L]
RewriteCond %{QUERY_STRING} snippet\.reflect\.php [NC,OR]
RewriteCond %{QUERY_STRING} reflect_base [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl [NC]
RewriteRule .* - [F,L]
Source:
http://forums.modx.com/thread/19933/lowering-artificial-traffic-on-modx-site#dis-post-111168
Additional Ideas:
- Force the use of SSL for manager login
- .htaccess ip restriction for manager
- .htaccess password protection for manager
- Regularly updated server!
The most important aspect of securing the site is securing the server, after all if the server is compromised no amount of site security will help you. We're big fans of CloudFlare as it's a free solution that helps beef up protection BEFORE the server, if they can't access the server directly it's much harder to affect you. We are actually partnered with them, which simplifies the setup for our clients. Over the last two weeks over 21k attacks directed at our customers were stopped, and over 220TB of bandwidth saved all at no cost.
Any other suggestions?