Joomla Security - Introduction

Transcription

1 Joomla Security - Introduction Joomla Security At The Webhost Modern web servers come in all shapes, sizes and hues, hence web server based security issues just cannot be resolved with simple, one-size-fits-all security solution. It s imperative that you, or someone you trust, learn enough about your hosting company's web server infrastructure, once done, make valid security decisions for your Joomla website. To secure your web site, you must gain real experience, or get experienced help from others. Use A Secure Webhost: Use a high-quality Webhost. Do not be fooled by offers of: unlimited bandwidth unlimited hard drive space unlimited databases unlimited account and so on. There is a rule of thumb - "If a deal is too good to be true, it is." Nothing on Earth is unlimited -- except perhaps the gullibility of people and the greed of those who prey upon them. The following list of items may seem intimidating, but you don't have to deal with all of them at once. As you become familiar with: Linux Apache PHP MySQL HTTP And Joomla You can add various layers of security refinements for your Joomla website at webhost level. Consider hiring professional assistance if you have inadequate experience or knowledge in this area. Do ask pointed questions within Joomla! Forums, you will get great advice from peers. Just ensure that you use the most appropriate board, such as Installation, Migration and Updating, Administration and so on. 1

2 Choose A Really Good Quality - Hosting Provider Probably no decision is more critical to your website security than the choice of hosting company. Google for hosting companies that specialize in the hosting of Joomla based websites. Then create your own XL based comparison sheet of services versus costs. Study this, ask for advice on Joomla forums and then make an informed purchase of your website hosting spaced. Shared Server Risks If you are on a tight budget and your website does not process credit card or other confidential data, you can use shared hosting, but you must understand some of the unavoidable risks. Sloppy Server Configuration A ton of shared hosters allow Google to index the results of phpinfo(). Ensure that you don't make this mistake on your site. Ensure that you do not Use deprecated PHP settings such as - register_globals ON Have open_basedir set at all. Just for the record if phpini and register_globals are unfamiliar terms you are probably not ready to securely manage your own site. Configuring Apache Block typical exploit attempts with a.htaccess file. NOTE: This option is not enabled on all web servers. Check with your hosters if you run into problems. Using.htaccess, you can password protect sensitive directories, such as administrator, restrict access to sensitive directories by IP Address, and more depending on your webhost configuration. Joomla ships with a preconfigured.htaccess file. The file is called htaccess.txt. To use it, rename it to.htaccess and place it in the root folder of your website. NOTE: The file distributed with Joomla is called htaccess.txt. The live file on your site is called.htaccess. Hence the file your site actually uses is NOT UPDATED when you update to the latest stable version of Joomla. You have to manually make the changes to use the updated Joomla CMS core file version or you run the serious risk of having no.htaccess file mapped to the needs of the latest stable version of Joomla. Increase security by the simple process of switching from PHP4 to PHP5. 2

3 PHP Being Run As An Apache Module. This causes ownership issues and thus permission problems which will lead to security issues. It is better to select a hosting server that runs PHP as a cgi process (such as cgi-fcgi) along with using phpsuexec or a similar configuration. Configuring PHP Understand how to work with the php.ini file, and how PHP configurations are controlled. Study the Official List of php.ini Directives at and the well-documented default php.ini file included with every PHP install. Use PHP5 - PHP 4 is deprecated and has become obsolete. Some hosting providers still have both available on servers to support outdated scripts. Joomla requires PHP5. Use A Local php.ini File On shared servers you can't edit the main php.ini file, but you may be able to add custom, local php.ini files. If so, you'll need to copy the php.ini files to every sub-directory that requires custom settings. NOTE: Keep in mind though that local php.ini files only have an effect if your hosting server is configured to use them. This includes a php.ini file in your http_root directory. You can test whether or not these file affect your site by setting an obvious directive in the local php.ini file to see if it affects your site. Local php.ini files only affect.php files that are located within the same directory or included() or required() from those files. This means that there are normally only two Joomla! directories in which you would want to place a php.ini file. They are your http_root(your actual directory name may vary), which is where Joomla's Front-end index.php file is located. AND The Joomla! administrator directory, which is where the Back-end administrator index.php file is located. Other directories that don't have files called via the Web do not need local php.ini files. Use PHP disable_functions Use disable_functions to disable dangerous PHP functions that are not needed by your site. Here is a typical block of PHP functions that can be disabled for your Joomla! site. disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open 3

4 Consider Using PHP open_basedir This directive limits the files that can be opened by PHP to the specified directory-tree. This directive is NOT affected by whether Safe Mode is ON or OFF. The restriction specified with open_basedir is a prefix, not a directory name. This means that open_basedir = /dir/incl allows access to /dir/include and /dir/incls if they exist. To restrict access to only the specified directory, end with a slash. open_basedir = /home/users/you/public_html/ Additionally, if open_basedir is set it may be necessary to set PHP upload_tmp_dir configuration directive to a path that falls within the scope of open_basedir or, alternatively, add the upload_tmp_dir path to open_basedir using the appropriate path separator for the host system. open_basedir = /home/users/you/public_html:/tmp NOTE: PHP will use the system's temporary directory when upload_tmp_dir is not set or when it is set but the directory does not exist, therefore it may be necessary to add it to open_basedir as above to avoid uploading errors within Joomla. Adjust magic_quotes_gpc NOTE: This PHP feature has been DEPRECATED as of PHP and REMOVED as of PHP 5.4.0, hence if you are using PHP and above for your Joomla website ignore this section. Adjust the magic_quotes_gpc directive as needed for your site. The safest thing to do is to turn magic_quotes_gpc off. Just for the record Joomla! ignores this setting and works fine either way. Don t Use PHP safe_mode This PHP feature has been DEPRECATED as of PHP and REMOVED as of PHP 5.4.0, hence if you are using PHP and above for your Joomla website ignore this section. Relying on this feature is strongly discouraged. Avoid the use of PHP safe_mode. This is a valid but incomplete solution to a deeper problem and provides a false sense of security. 4

5 Don t Use PHP register_globals This PHP feature has been DEPRECATED as of PHP and REMOVED as of PHP 5.4.0, hence if you are using PHP and above for your Joomla website ignore this section. If your site is on a shared server with a hosting provider that insists register_globals must be on, you should be very worried. Although you can often turn register_globals off for your own site with a local php.ini file, this adds little security as other sites on the same server remain vulnerable to attacks which can then launch attacks against your site from within the server. File Permissions If a Joomla installation is hosted on apache with mod_php, then all virtual hosts on that server run in the same context as your Joomla code. If the files are owned by some other user than 'nobody' or 'wwwrun', the safest permissions are those which prevent changes to the joomla code, unless via an authorised channel (e.g. FTP): DocumentRoot directory: 750 (e.g. /public_html) Files: 644 Directories: 755 (711 if you are paranoid, but not for directories which need to be listed) (owner: some user) With these permissions set, you will need to use FTP to update your Joomla installation. If a Joomla installation is hosted on apache with fast-cgi, suphp or cgi that runs as a different user, then you should set your permissions as follows: DocumentRoot directory: 750 (e.g. public_html) PHP files: 600 (400 if you are truly paranoid) HTML and image files: 644 (444 if you are truly paranoid) Directories: 755 (711 if you are paranoid, but not for directories which need to be listed) Here are a few essential guidelines for securing any website Joomla based or otherwise. Following them will protect you from most catastrophes. Back Up Regularly The most important disaster recovery rule: Thou shalt at all times be able to return your site to a previous working state through regular use of a strong, off-site backup and recovery process. Be sure your backup and recovery process is in place and tested BEFORE you go live. This is the single best way (and often the only way) to recover from such inevitable catastrophes. Set up a regular backup and recovery process. When done well, this ensures that you can recover from almost any imaginable disaster. 5

6 Keep The Joomla CMS Core Updated Also promptly Update any third-party extensions installed on the site. This ensures that your Joomla site is protected from the newest vulnerabilities as soon as a fix is released and from the latest attack methods as soon as a defense is developed. The Bad News There is no perfect ( 100% ) security on the Internet. Do not read - perfect security - in Joomla's award winning, ease-of-use, very best CMS statements. Maintaining a secure web site on the Internet is not simple. Maintaining adequate website security requires ever-expanding range of skills and knowledge, constant watchfulness, and a robust backup and recovery process. The Good News Even a beginner can apply some sensible, basic, security to their website. If you are reading this article before your site is hacked, Congratulations!!!. You're already ahead of the rest. It's not as hard as it looks If this is one of your first websites, security issues may seem overwhelming, but you don't have to deal with all of them at once. Start with the most critical issues. As you become more familiar with tools and techniques, add refinements to your set of security tactics. You can get help If you believe your website was attacked. Just ask for help on the many Joomla forums on the Internet. There really are helpful people ( as well as cut throats ) on the web. Thank goodness the ration is 95s:5. The painful truth is... Security is a moving target, so today's expert might be tomorrow's victim... Just in case you would like us to harden your Joomla website for you do 6