Joomla Security - Introduction



Similar documents
Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

OxyClassifieds Installation Handbook

Content Management System

Quick Start Guide Joomla!: Guidelines for installation and setup. Why Joomla!

ClickCartPro Software Installation README

Professional Joomla! Migration. User Guide. Version 1.1 Date: 25th March Vibaweb Ltd. All rights reserved.

Rensselaer Union Club Webhosting CPanel Guide

How can I keep my account safe from hackers, scammers and spammers?

This installation guide will help you install your chosen IceTheme Template with the Cloner Installer package.

Install Apache on windows 8 Create your own server

Introduction Connecting Via FTP Where do I upload my website? What to call your home page? Troubleshooting FTP...

Performance Evaluation of Shared Hosting Security Methods

User Manual. for pollxt version 1.2x

TYPO3 Security Cookbook

OpenPro ERP Software Installation Guide REDHAT LINUX

JMS MULTISITE for joomla!

Digital Downloads Pro

AJ Matrix V5. Installation Manual

We begin with a number of definitions, and follow through to the conclusion of the installation.

A Beginner's Guide to Setting Up A Web Hosting System (Or, the design and implementation of a system for the worldwide distribution of pictures of

XCloner Official User Manual

Simbirsk Technologies Ltd.

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

FireBLAST Marketing Solution v2

Lesson 7 - Website Administration

INSTALLING MOODLE 2.5 ON A MICROSOFT PLATFORM

imhosted Web Hosting Knowledge Base

1. An Introduction to cpanel. Welcome to Thanks for signing up. 2. How Domain Names work

ProjectPier v Getting Started Guide

Online Vulnerability Scanner Quick Start Guide

AFRICAN FORUM FOR AGRICULTURAL ADVISORY SERVICES AFAAS WEBSITE DEVELOPMENT

Migrate Joomla 1.5 to 2.5 with SP Upgrade

OpenPro ERP Software Installation Guide Talbert Ave Suite 200 Fountain Valley, CA USA Phone Fax

The Web Pro Miami, Inc. 615 Santander Ave, Unit C Coral Gables, FL T: info@thewebpro.com

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Malware Analysis Quiz 6

Web Technologies Week 4 Hosting, Servers and Databases. Context. Contents. MSc in Computing Computing - IBITE Liverpool Hope University College

Backup and Restore MySQL Databases

6.1.6 Optimize internal links Search engine friendly URLs Add anchor text to links 6.2 Keywords Optimize keywords 6.2.

Build it with Drupal 8

Tk20 Backup Procedure

Two Novel Server-Side Attacks against Log File in Shared Web Hosting Servers

WordPress Security Scan Configuration

Getting started with PrestaShop 1.4

Securing websites. Executive Summary:

Virtual Machine daloradius Administrator Guide Version 0.9-9

CEFNS Web Hosting a Guide for CS212

Building Website with Drupal 7

2011 ithemes Media LLC. All rights reserved in all media. May be shared with copyright and credit left intact.!

Simbirsk Technologies Ltd.

Asia Web Services Ltd. (vpshosting.com.hk)

Setting Up a Dreamweaver Site Definition for OIT s Web Hosting Server

Magento Security Best practices 2015

Kollaborate Server Installation Guide!! 1. Kollaborate Server! Installation Guide!

Host your websites. The process to host a single website is different from having multiple sites.

WEB2CS INSTALLATION GUIDE

Nikolay Zaynelov Annual LUG-БГ Meeting nikolay.zaynelov.com

Securing websites. By Chris Mitchell Updated by Fraser Howard, Threat Researcher, SophosLabs UK, 2011

inforouter V8.0 Server Migration Guide.

eztechdirect Backup Service Features

5. At the Windows Component panel, select the Internet Information Services (IIS) checkbox, and then hit Next.

Creating Value through Innovation MAGENTO 1.X TO MAGENTO 2.0 MIGRATION

Hacking the WordpressEcosystem

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Vulnerability analysis

Drupal + Formulize. A Step-by-Step Guide to Integrating Drupal with XOOPS/ImpressCMS, and installing and using the Formulize module

Backing Up CNG SAFE Version 6.0

EOP ASSIST: A Software Application for K 12 Schools and School Districts Installation Manual

Akeeba Kickstart 3.0 User's Guide. Nicholas K. Dionysopoulos

Document Freedom Workshop DFW 2012: CMS, Moodle and Web Publishing

The current version installed on your server is el6.x86_64 and it's the latest available.

Joomla! Actions Suite

Livezilla How to Install on Shared Hosting By: Jon Manning

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

by

Open Source Content Management System for content development: a comparative study

Secure Software Programming and Vulnerability Analysis

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

MySQL Quick Start Guide

Written by: Johan Strand, Reviewed by: Chafic Nassif, Date: Getting an ipath server running on Linux

Installing Joomla! on EnGarde Secure Linux HOWTO

Securing Linux. Presented by: Darren Mobley

Parallels. for your Linux or Windows Server. Small Business Panel. Getting Started Guide. Parallels Small Business Panel // Linux & Windows Server

INSTALLATION GUIDE VERSION

Detailed Revision History: Advanced Internet System Management (v5.07)

All the materials and/or graphics included in the IceThemetheme folders MUST be used ONLY with It TheCityTheme from IceTheme.com.

OpenEyes - Windows Server Setup. OpenEyes - Windows Server Setup

Powerful Online Solutions HOSTING. Price List. Surge Media Pty Ltd MAINTENANCE & SUPPORT Price List 1

NTT Web Hosting Service [User Manual]

SIMIAN systems. Setting up a Sitellite development environment on Windows. Sitellite Content Management System

Pocket E-Guide. TechTarget Data Center Media

Plesk Panel HEAnet Customer Guide

Graham Jones. Internet Psychologist. How to choose the right web host

Contents. 1. Infrastructure

Web Page Redirect. Application Note

Hardening Joomla! (MNI)

How To Manage Web Content Management System (Wcm)

Railo Installation on CentOS Linux 6 Best Practices

Transferring Your Hosting Account

Transcription:

Joomla Security - Introduction Joomla Security At The Webhost Modern web servers come in all shapes, sizes and hues, hence web server based security issues just cannot be resolved with simple, one-size-fits-all security solution. It s imperative that you, or someone you trust, learn enough about your hosting company's web server infrastructure, once done, make valid security decisions for your Joomla website. To secure your web site, you must gain real experience, or get experienced help from others. Use A Secure Webhost: Use a high-quality Webhost. Do not be fooled by offers of: unlimited bandwidth unlimited hard drive space unlimited databases unlimited email account and so on. There is a rule of thumb - "If a deal is too good to be true, it is." Nothing on Earth is unlimited -- except perhaps the gullibility of people and the greed of those who prey upon them. The following list of items may seem intimidating, but you don't have to deal with all of them at once. As you become familiar with: Linux Apache PHP MySQL HTTP And Joomla You can add various layers of security refinements for your Joomla website at webhost level. Consider hiring professional assistance if you have inadequate experience or knowledge in this area. Do ask pointed questions within Joomla! Forums, you will get great advice from peers. Just ensure that you use the most appropriate board, such as Installation, Migration and Updating, Administration and so on. 1

Choose A Really Good Quality - Hosting Provider Probably no decision is more critical to your website security than the choice of hosting company. Google for hosting companies that specialize in the hosting of Joomla based websites. Then create your own XL based comparison sheet of services versus costs. Study this, ask for advice on Joomla forums and then make an informed purchase of your website hosting spaced. Shared Server Risks If you are on a tight budget and your website does not process credit card or other confidential data, you can use shared hosting, but you must understand some of the unavoidable risks. Sloppy Server Configuration A ton of shared hosters allow Google to index the results of phpinfo(). Ensure that you don't make this mistake on your site. Ensure that you do not Use deprecated PHP settings such as - register_globals ON Have open_basedir set at all. Just for the record if phpini and register_globals are unfamiliar terms you are probably not ready to securely manage your own site. Configuring Apache Block typical exploit attempts with a.htaccess file. NOTE: This option is not enabled on all web servers. Check with your hosters if you run into problems. Using.htaccess, you can password protect sensitive directories, such as administrator, restrict access to sensitive directories by IP Address, and more depending on your webhost configuration. Joomla ships with a preconfigured.htaccess file. The file is called htaccess.txt. To use it, rename it to.htaccess and place it in the root folder of your website. NOTE: The file distributed with Joomla is called htaccess.txt. The live file on your site is called.htaccess. Hence the file your site actually uses is NOT UPDATED when you update to the latest stable version of Joomla. You have to manually make the changes to use the updated Joomla CMS core file version or you run the serious risk of having no.htaccess file mapped to the needs of the latest stable version of Joomla. Increase security by the simple process of switching from PHP4 to PHP5. 2

PHP Being Run As An Apache Module. This causes ownership issues and thus permission problems which will lead to security issues. It is better to select a hosting server that runs PHP as a cgi process (such as cgi-fcgi) along with using phpsuexec or a similar configuration. Configuring PHP Understand how to work with the php.ini file, and how PHP configurations are controlled. Study the Official List of php.ini Directives at http://www.php.net, and the well-documented default php.ini file included with every PHP install. Use PHP5 - PHP 4 is deprecated and has become obsolete. Some hosting providers still have both available on servers to support outdated scripts. Joomla requires PHP5. Use A Local php.ini File On shared servers you can't edit the main php.ini file, but you may be able to add custom, local php.ini files. If so, you'll need to copy the php.ini files to every sub-directory that requires custom settings. NOTE: Keep in mind though that local php.ini files only have an effect if your hosting server is configured to use them. This includes a php.ini file in your http_root directory. You can test whether or not these file affect your site by setting an obvious directive in the local php.ini file to see if it affects your site. Local php.ini files only affect.php files that are located within the same directory or included() or required() from those files. This means that there are normally only two Joomla! directories in which you would want to place a php.ini file. They are your http_root(your actual directory name may vary), which is where Joomla's Front-end index.php file is located. AND The Joomla! administrator directory, which is where the Back-end administrator index.php file is located. Other directories that don't have files called via the Web do not need local php.ini files. Use PHP disable_functions Use disable_functions to disable dangerous PHP functions that are not needed by your site. Here is a typical block of PHP functions that can be disabled for your Joomla! site. disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open 3

Consider Using PHP open_basedir This directive limits the files that can be opened by PHP to the specified directory-tree. This directive is NOT affected by whether Safe Mode is ON or OFF. The restriction specified with open_basedir is a prefix, not a directory name. This means that open_basedir = /dir/incl allows access to /dir/include and /dir/incls if they exist. To restrict access to only the specified directory, end with a slash. open_basedir = /home/users/you/public_html/ Additionally, if open_basedir is set it may be necessary to set PHP upload_tmp_dir configuration directive to a path that falls within the scope of open_basedir or, alternatively, add the upload_tmp_dir path to open_basedir using the appropriate path separator for the host system. open_basedir = /home/users/you/public_html:/tmp NOTE: PHP will use the system's temporary directory when upload_tmp_dir is not set or when it is set but the directory does not exist, therefore it may be necessary to add it to open_basedir as above to avoid uploading errors within Joomla. Adjust magic_quotes_gpc NOTE: This PHP feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0, hence if you are using PHP 5.4.0 and above for your Joomla website ignore this section. Adjust the magic_quotes_gpc directive as needed for your site. The safest thing to do is to turn magic_quotes_gpc off. Just for the record Joomla! ignores this setting and works fine either way. Don t Use PHP safe_mode This PHP feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0, hence if you are using PHP 5.4.0 and above for your Joomla website ignore this section. Relying on this feature is strongly discouraged. Avoid the use of PHP safe_mode. This is a valid but incomplete solution to a deeper problem and provides a false sense of security. 4

Don t Use PHP register_globals This PHP feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0, hence if you are using PHP 5.4.0 and above for your Joomla website ignore this section. If your site is on a shared server with a hosting provider that insists register_globals must be on, you should be very worried. Although you can often turn register_globals off for your own site with a local php.ini file, this adds little security as other sites on the same server remain vulnerable to attacks which can then launch attacks against your site from within the server. File Permissions If a Joomla installation is hosted on apache with mod_php, then all virtual hosts on that server run in the same context as your Joomla code. If the files are owned by some other user than 'nobody' or 'wwwrun', the safest permissions are those which prevent changes to the joomla code, unless via an authorised channel (e.g. FTP): DocumentRoot directory: 750 (e.g. /public_html) Files: 644 Directories: 755 (711 if you are paranoid, but not for directories which need to be listed) (owner: some user) With these permissions set, you will need to use FTP to update your Joomla installation. If a Joomla installation is hosted on apache with fast-cgi, suphp or cgi that runs as a different user, then you should set your permissions as follows: DocumentRoot directory: 750 (e.g. public_html) PHP files: 600 (400 if you are truly paranoid) HTML and image files: 644 (444 if you are truly paranoid) Directories: 755 (711 if you are paranoid, but not for directories which need to be listed) Here are a few essential guidelines for securing any website Joomla based or otherwise. Following them will protect you from most catastrophes. Back Up Regularly The most important disaster recovery rule: Thou shalt at all times be able to return your site to a previous working state through regular use of a strong, off-site backup and recovery process. Be sure your backup and recovery process is in place and tested BEFORE you go live. This is the single best way (and often the only way) to recover from such inevitable catastrophes. Set up a regular backup and recovery process. When done well, this ensures that you can recover from almost any imaginable disaster. 5

Keep The Joomla CMS Core Updated Also promptly Update any third-party extensions installed on the site. This ensures that your Joomla site is protected from the newest vulnerabilities as soon as a fix is released and from the latest attack methods as soon as a defense is developed. The Bad News There is no perfect ( 100% ) security on the Internet. Do not read - perfect security - in Joomla's award winning, ease-of-use, very best CMS statements. Maintaining a secure web site on the Internet is not simple. Maintaining adequate website security requires ever-expanding range of skills and knowledge, constant watchfulness, and a robust backup and recovery process. The Good News Even a beginner can apply some sensible, basic, security to their website. If you are reading this article before your site is hacked, Congratulations!!!. You're already ahead of the rest. It's not as hard as it looks If this is one of your first websites, security issues may seem overwhelming, but you don't have to deal with all of them at once. Start with the most critical issues. As you become more familiar with tools and techniques, add refinements to your set of security tactics. You can get help If you believe your website was attacked. Just ask for help on the many Joomla forums on the Internet. There really are helpful people ( as well as cut throats ) on the web. Thank goodness the ration is 95s:5. The painful truth is... Security is a moving target, so today's expert might be tomorrow's victim... Just in case you would like us to harden your Joomla website for you do http://www.opensourcevarsity.com/contact-us. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information