bullet proofing and safeguarding your joomla site
DESCRIPTION
Secure your Joomla Website.TRANSCRIPT
Bullet Proofing and Safeguarding your Joomla Site
Ajay Lulia
Joomla! Day Malaysia 2011 - Date: 25/06/2011
WHY are sites hacked?
Curiosity
Monetary
Political
Spamming
Reputation Advantages
Testing Systems
Destruction
How are sites Hacked ?
Insecure communications• SQL Injection• Automated Injection• Backdoor Injection- Modules, Forums, Search etc.• Remote InjectionSQL Injection in the Browser Address Bar
Cross Site Scripting (XSS)
Authorization Bypass / Broken Authentication
Google Hacking
Password Cracking
Malicious file execution
What to secure?
Data • Files• Images• DatabaseServer Access
Security Details
How to secure Joomla ?
Joomla Packages, Always download joomla package from joomla.org• http://www.joomla.org• http://extensions.joomla.org
Make sure all PHP settings are “Green” when installing joomla
Change default joomla database prefix jos_
Create a new Super Administrator delete original one (id 62)
Turn-Off User Registration, if no registration is required.
Enable and optimize Joomla .htaccess
How to secure Joomla…
Password protect directory using .htaccess
FTP Layer, disable if not used or used frequently
Mail From Id should not be same as Super Administrator Email Id
Setting the Global Metadata Information
Ensure all passwords are very strong (hosting a/c, site admin, database user, ftp)
Always keep Extensions Update to date and always use mailing lists
How to secure Joomla…
Close all unwanted TCP/IP ports
Change file permissions of configuration.php to 644
Use SFTP instead of FTP
Use SSH instead of rlogin to server
Set permission to 644 which allows Apache to use it and prevents other from editing
Grant access to only those region your site is dedicated to
How to secure Joomla…
Before installing extensions, always check:• Reviews• Vulnerability
Use Search Engine Friendly (e.g. Joomla Core and/or sh404sef)
• http://developer.joomla.org/security
Hide your administrator URL (using jSecure Authentication, jAdmin Tools)• RSS feed: http://feeds.joomla.org/JoomlaSecurityNews
Report all possible hack to Joomla! Security Strike Team (JSST)
Subscribe to security updates to hit your mail box when they are available!
Choosing Hosting
Look into your requirements
Choose from the hosting, Shared v Dedicated Hosting
Versions on servers (should be on PHP 5 & mySQL 5 at least)
Server that runs PHP in CGI mode with su_php
Types of Backup
24/7 Customer support is VITAL
Is my website a victim?
Be always proactive and not reactive
• http://developer.joomla.org/security
Server / Application / Extension security is on going work. Always check for upgrades and reviews
Build disaster recovery plan
If you don’t have updates from Joomla! Security Strike Team (JSST)
Am Hacked !!!
Create html with a message and save it as index.html• http://developer.joomla.org/security
Save Server Access and Error logs
Restore the website using recent backup
Look at the logs and try and find the reason how the site was hacked.
Report all possible hack to Joomla! Security Strike Team (JSST)
Analyze Security
Security can be broken into five distinct functional areas:
• Risk Avoidance• Restriction• Prevention• Detection• Recovery