cms and security / privacy
TRANSCRIPT
My Name is Ren Sato from the Project ImpessCMS.Thank you for visiting this presentation.Our topic is today:
CMS and Security
Welcome CMS Security
CMS Security - overview
Vulnerabilities (statistic)
Possible risks
What is security in a CMS
A lot of tips
Server / CMS funnel
ImpressCMS security features
Vulnerabilities: the candidates
Vulnerabilities: CMS / year
Security is not a measure the question is subjective. Same like: What is hot
Security and money elaborate for the application but you have to protect the important informations
Security and usability user access control is maybe a barrier Session-Timeout is not user friendly Password meter is confusing the visitor But in the most of the case you need the elements. Therefore:
Security is supposed to be part of the master plan for a new Website. Therefore, always keep in mind security.
What is security in a CMS
piracy (data theft)
data loss
image damage of your company
identity theft / identity fraud
unavailability of your website, after a attack
attacks against users by the CMS
possible risks
10 tips and more
Use .htaccess and protect your folders
A lot of tips - 1/10
Create a robots.txt and disallow folders
A lot of tips 2/10
Server error handling (401 505) with your CMS
A lot of tips 3/10
Change the META content for generator
A lot of tips 4/10
Create a difficult database prefix
A lot of tips 5/10
Enable SSL for their domain
A lot of tips 6/10
Use SFTP only
A lot of tips 7/10
Secure E-mail addresses in your website with GD protection or reCaptcha
* dont use a default admin as an access * pickup a secure password for the admin
A lot of tips 8/10
Ban all spamers and bots
A lot of tips 9/10
dont use a default admin as an accessand pickup a secure password for the admin
Good passwords for your users
A lot of tips 10/10
Other tips
Increase your awareness. Subscribe to your CMS Development Blog. It should be on your list of feed so you are updated about recent development, including security issues. Update. Your CMS takes only a few minutes to update, so spend some time at the end of the day to do so. I prefer to allocate some time in the weekend though. With update, I dont mean just the core code, but also the plugins, libraries and or modules. Use supported themes. If you are not a theme designer, make sure you use a theme that is well supported so if there are problems you know who to run to for a solution. Backup often. There is no reason not to do so because you can easily schedule backups of your CMS database and files. Be safe rather than sorry.
A lot of tips other
Server / CMS funnel
Web Server- Database- and CMS Security funnel
1. intelligent server security
2. database security
3. basic CMS configuration
4. CMS user groups
5. CMS user permissions
6. Module permissions
7. third-party libraries
8. check attacks
9. update your system
10. go back to 1.
* randomize database table prefix* separate sensitive data and place in trust path* randomize the trust path directory name* randomize the name of the secure data file* full integration with HTML Purifier (with options)* multiple password hash options, selectable by site* admin warnings for practices not followed* of course, protector module* session regeneration on login* using salt keys* protect email addresses against SPAM* handling of server-errors* the installer don't create a default admin* password meter (with security level) for the user* 17 password encryption (recommend is SHA256)
ImpressCMS security features
Any questions?
If not, I like to present you our ImpressCMS now...
www.impresscms.org
Icons by: GNOME Desktop
Created by: Ren Satohttp://www.impresscms.de
Thank you / Credits
Thank you: skenow, phoenyx, Madfish, david
Thank you to all Open Source CMS around the world.
6/4/11
6/4/11
Click to edit Master text stylesSecond levelThird levelFourth levelFifth level
2010200720082009
Joomla2212311154
Drupal1002452137
Typo37113282
WordPress20292120
Xoops7251914
MODx6243
ImpressCMS1023