Joomla Security : Secure Your Website

Ajay LuliaManaging Partner & CTO, Synergy Technology ServicesCEO, Joomla Service Provider@ajayluliahttp://www.joomlaserviceprovider.com

WHY are sites Hacked?

Curiosity

Monetary

Political

Spamming

Reputation Advantages

Testing Systems

Destruction

How are sites Hacked?

Insecure communications

• SQL Injection• Automated Injection• Backdoor Injection- Modules, Forums, Search etc.• Remote Injection

SQL Injection in the Browser Address Bar

Cross Site Scripting (XSS)

Authorization Bypass / Broken Authentication

Google Hacking

Malicious file execution

Password Cracking

What to Secure?

Data

• Files• Images• Database

Server Access

Security Details

How to Secure Joomla?

• http://www.joomla.org• http://extensions.joomla.org

Joomla Packages, Always download joomla package from joomla.org

Make sure all PHP settings are “Green” when installing joomla

Change default joomla database prefix jos_

Create a new Super Administrator delete original one (id 62 until j1.5)

Turn-Off User Registration, if no registration is required.

Enable and optimize Joomla .htaccess

How to Secure Joomla?

Password protect directory using .htaccess

FTP Layer, disable if not used or used frequently

Mail From Id should not be same as Super Administrator Email Id

Setting the Global Metadata Information

Ensure all passwords are very strong (hosting a/c, site admin, database user, ftp)

Always keep Extensions Update to date and always use mailing lists

How to Secure Joomla?

Close all unwanted TCP/IP ports

Change file permissions of configuration.php to 644

Use SFTP instead of FTP

Use SSH instead of rlogin to server

Grant access to only those region your site is dedicated to

Set permission to 644 which allows Apache to use it and prevents other from editing

How to Secure Joomla?

Before installing extensions, always check:• Reviews• Vulnerability

• http://developer.joomla.org/security

• RSS feed:http://feeds.joomla.org/JoomlaSecurityNews

Use Search Engine Friendly (e.g. Joomla Core and/or sh404sef)

Report all possible hack to Joomla! Security Strike Team (JSST)

Hide your administrator URL (using jSecure Authentication, jAdmin Tools)

Subscribe to security updates to hit your mail box when they are available!

Choosing Hosting

Look into your requirements

Choose from the hosting, Shared v Dedicated Hosting

Versions on servers (should be on PHP 5 & mySQL 5 at least)

Server that runs PHP in CGI mode with su_php

Types of Backup

24/7 Customer support is VITAL

Is my website a victim?

• http://developer.joomla.org/security

Be always proactive and not reactive

Server / Application / Extension security is ‘on going’ work. Always check for upgrades and reviews

Build disaster recovery plan

If you don’t have updates from Joomla! Security Strike Team (JSST)

Am Hacked !!!

• http://developer.joomla.org/security

Create html with a message and save it as index.html

Save Server Access and Error logs

Restore the website using recent backup

Look at the logs and try and find the reason how the site was hacked.

Report all possible hack to Joomla! Security Strike Team (JSST)

Analyze Security

• Risk Avoidance• Restriction• Prevention• Detection• Recovery

Security can be broken into five distinct functional areas:

Ajay Lulia

Thank You

Twitter : @ajaylulia

ajay.lulia@synergytechservices.com

http://www.synergytechservices.com

http://www.joomlaserviceprovider.com