10 tips to improve your website security
TRANSCRIPT
@sucuri_security@sucurilabs
@sucurisupport
Victor Santoyo @v_santoyoTechnical Sales Engineer
Overwrite your files
Overwrite your files
Steal sensitive information
Overwrite your files
Right clicks and presses Delete
Steal sensitive information
Overwrite your files
Right clicks and presses Delete
Re-direct your clients to other websites
Steal sensitive information
10 Tips to Improve Your Website Security
1. Update, Update, Update
2. Extension Selection
3. Default CMS Settings
4. Server Configuration Files
5. File Permissions
10 Tips to Improve Your Website Security
6. Sensible User Access
7. One Site, One Server
8. Backups
9. SSL
10. [Secret Topic]
Update, Update, Update!
• Most hacking these days is automated
• Check for updates frequently!
Update, Update, Update!
• Check your server for old CMS installations!
• “But my website breaks whenever I update to the latest version!”
Extension Selection
Extension Selection
Extension Selection
Extension Selection
Extension Selection
jsecure.php<?php
include('images/social.png'); ?>
Extension Selection
jsecure.php<?php
include('images/social.png'); ?>
Extension Selection
• Check for when it was last updated
• Age of the extension
• Number of installs
• Verify its source
Default CMS Settings
• Most attacks are entirely automated and many attacks rely on default settings
Default CMS Settings
• Joomla’s Media Manager
• backdoor.php would end up at /images/stories/backdoor.php
• The attacker can then execute that file as site.com/images/stories/backdoor.php.
Server Configuration Files
• Prevent directory browsing
• Prevent image hotlinking
•Protect sensitive files- https
://docs.joomla.org/Htaccess_examples_(security)- There is currently no easy way to move the
Joomla! /image and /media directories.
Server Configuration Files
File Permissions
“How do I restrict my image directory?
How do I prevent directory browsing?”
File Permissions
Read (4): View the file contents.
Write (2): Change the file contents.
Execute (1): Run the program file/script
File Permissions
File Permissions
“JomSocial”
File Permissions
• Confirm your permissions status
For files use:find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -exec chmod 644 {} \;
Everyone can read the file but only the owner may write to the file
For directories use:find /home/xxxxxx/domains/xxxxxxx.com/public_html -type d -exec chmod 755 {} \;
Everyone may read/execute (run) but only the owner(you) may change the directories
*configuration.php should be set to 444
Sensible User Access
• Every user has the appropriate permission they require to do their job
• Separate user accounts for every user
Sensible User Access
• Monitor any recent file changes
find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -ctime -1 -exec ls -ls {} \;
One Site, One Server• With 5 sites on a single server now an attacker might have:
2 Joomla! 3.x installs 3 Joomla! 2.5.x installs 5 Themes 50 plugins that can be
targets
One Site, One Server
Cross-Site Contamination:
Biggest reason for singleserver spread of infection
Backups
• Should be stored offsite and not on the same server as your website (e.g. Dropbox)
• Should be automatic
• Adjust frequency as needed
• Test backups to make sure the work!
Backups
• Consider backing up only key files (i.e., themes, plugins, extensions, etc…).
• Often backing up core directories like administrator, includes will be unnecessary
• Keep a clean copy of the original install; you never know when you’ll need it
SSL
•What are the benefits?
• SSL encrypts communications between Point A & Point B – the website server and browser.
•E-Commerce security, websites with sensitive user data or Personally Identifiable Information (PII)
SSL
“But I don’t have anything special to protect!”
SSL
[Secret Topic]
Passwords mean P@s5w0rD$
Passwords mean P@s5w0rD$
• 3 key requirements should always be followed
(CLU – Complex, Long, Unique)
• Complex: Should be random• Long: Should be 12+ characters• Unique: Do not reuse passwords
Passwords mean P@s5w0rD$
• Use a Password Manager (LastPass, KeePass 2)
Passwords mean P@s5w0rD$
Passwords mean P@s5w0rD$
Passwords mean P@s5w0rD$
Passwords mean P@s5w0rD$