joomla security v3.0
TRANSCRIPT
Joomla Security : Secure Your Website
Ajay LuliaManaging Partner & CTO, Synergy Technology ServicesCEO, Joomla Service Provider@ajayluliahttp://www.joomlaserviceprovider.com
WHY are sites Hacked?
Curiosity
Monetary
Political
Spamming
Reputation Advantages
Testing Systems
Destruction
How are sites Hacked?
Insecure communications
• SQL Injection• Automated Injection• Backdoor Injection- Modules, Forums, Search etc.• Remote Injection
SQL Injection in the Browser Address Bar
Cross Site Scripting (XSS)
Authorization Bypass / Broken Authentication
Google Hacking
Malicious file execution
Password Cracking
What to Secure?
Data
• Files• Images• Database
Server Access
Security Details
How to Secure Joomla?
• http://www.joomla.org• http://extensions.joomla.org
Joomla Packages, Always download joomla package from joomla.org
Make sure all PHP settings are “Green” when installing joomla
Change default joomla database prefix jos_
Create a new Super Administrator delete original one (id 62 until j1.5)
Turn-Off User Registration, if no registration is required.
Enable and optimize Joomla .htaccess
How to Secure Joomla?
Password protect directory using .htaccess
FTP Layer, disable if not used or used frequently
Mail From Id should not be same as Super Administrator Email Id
Setting the Global Metadata Information
Ensure all passwords are very strong (hosting a/c, site admin, database user, ftp)
Always keep Extensions Update to date and always use mailing lists
How to Secure Joomla?
Close all unwanted TCP/IP ports
Change file permissions of configuration.php to 644
Use SFTP instead of FTP
Use SSH instead of rlogin to server
Grant access to only those region your site is dedicated to
Set permission to 644 which allows Apache to use it and prevents other from editing
How to Secure Joomla?
Before installing extensions, always check:• Reviews• Vulnerability
• http://developer.joomla.org/security
• RSS feed:http://feeds.joomla.org/JoomlaSecurityNews
Use Search Engine Friendly (e.g. Joomla Core and/or sh404sef)
Report all possible hack to Joomla! Security Strike Team (JSST)
Hide your administrator URL (using jSecure Authentication, jAdmin Tools)
Subscribe to security updates to hit your mail box when they are available!
Choosing Hosting
Look into your requirements
Choose from the hosting, Shared v Dedicated Hosting
Versions on servers (should be on PHP 5 & mySQL 5 at least)
Server that runs PHP in CGI mode with su_php
Types of Backup
24/7 Customer support is VITAL
Is my website a victim?
• http://developer.joomla.org/security
Be always proactive and not reactive
Server / Application / Extension security is ‘on going’ work. Always check for upgrades and reviews
Build disaster recovery plan
If you don’t have updates from Joomla! Security Strike Team (JSST)
Am Hacked !!!
• http://developer.joomla.org/security
Create html with a message and save it as index.html
Save Server Access and Error logs
Restore the website using recent backup
Look at the logs and try and find the reason how the site was hacked.
Report all possible hack to Joomla! Security Strike Team (JSST)
Analyze Security
• Risk Avoidance• Restriction• Prevention• Detection• Recovery
Security can be broken into five distinct functional areas:
Ajay Lulia
Thank You
Twitter : @ajaylulia
http://www.synergytechservices.com
http://www.joomlaserviceprovider.com