My Name is Ren Sato from the Project ImpessCMS.Thank you for visiting this presentation.Our topic is today:

CMS and Security

Welcome CMS Security

CMS Security - overview

Vulnerabilities (statistic)

Possible risks

What is security in a CMS

A lot of tips

Server / CMS funnel

ImpressCMS security features

Vulnerabilities: the candidates

Vulnerabilities: CMS / year

Security is not a measure the question is subjective. Same like: What is hot

Security and money elaborate for the application but you have to protect the important informations

Security and usability user access control is maybe a barrier Session-Timeout is not user friendly Password meter is confusing the visitor But in the most of the case you need the elements. Therefore:

Security is supposed to be part of the master plan for a new Website. Therefore, always keep in mind security.

What is security in a CMS

piracy (data theft)

data loss

image damage of your company

identity theft / identity fraud

unavailability of your website, after a attack

attacks against users by the CMS

possible risks

10 tips and more

Use .htaccess and protect your folders

A lot of tips - 1/10

Create a robots.txt and disallow folders

A lot of tips 2/10

Server error handling (401 505) with your CMS

A lot of tips 3/10

Change the META content for generator

A lot of tips 4/10

Create a difficult database prefix

A lot of tips 5/10

Enable SSL for their domain

A lot of tips 6/10

Use SFTP only

A lot of tips 7/10

Secure E-mail addresses in your website with GD protection or reCaptcha

* dont use a default admin as an access * pickup a secure password for the admin

A lot of tips 8/10

Ban all spamers and bots

A lot of tips 9/10

dont use a default admin as an accessand pickup a secure password for the admin

Good passwords for your users

A lot of tips 10/10

Other tips

Increase your awareness. Subscribe to your CMS Development Blog. It should be on your list of feed so you are updated about recent development, including security issues. Update. Your CMS takes only a few minutes to update, so spend some time at the end of the day to do so. I prefer to allocate some time in the weekend though. With update, I dont mean just the core code, but also the plugins, libraries and or modules. Use supported themes. If you are not a theme designer, make sure you use a theme that is well supported so if there are problems you know who to run to for a solution. Backup often. There is no reason not to do so because you can easily schedule backups of your CMS database and files. Be safe rather than sorry.

A lot of tips other

Server / CMS funnel

Web Server- Database- and CMS Security funnel

1. intelligent server security

2. database security

3. basic CMS configuration

4. CMS user groups

5. CMS user permissions

6. Module permissions

7. third-party libraries

8. check attacks

9. update your system

10. go back to 1.

* randomize database table prefix* separate sensitive data and place in trust path* randomize the trust path directory name* randomize the name of the secure data file* full integration with HTML Purifier (with options)* multiple password hash options, selectable by site* admin warnings for practices not followed* of course, protector module* session regeneration on login* using salt keys* protect email addresses against SPAM* handling of server-errors* the installer don't create a default admin* password meter (with security level) for the user* 17 password encryption (recommend is SHA256)

ImpressCMS security features

Any questions?

If not, I like to present you our ImpressCMS now...

www.impresscms.org

Icons by: GNOME Desktop

Created by: Ren Satohttp://www.impresscms.de

Thank you / Credits

Thank you: skenow, phoenyx, Madfish, david

Thank you to all Open Source CMS around the world.

6/4/11

6/4/11

Click to edit Master text stylesSecond levelThird levelFourth levelFifth level

2010200720082009

Joomla2212311154

Drupal1002452137

Typo37113282

WordPress20292120

Xoops7251914

MODx6243

ImpressCMS1023