CMS Security - Ruth Cheesley - CMS Africa 2014


Published on

This talk was delivered at the first CMS Africa summit in Nairobi, Kenya which was held between 7-8 March 2014. The talk explores basic security precautions to take when considering using a Content Management System.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Good afternoon, and thank you for inviting me to speak at CMS Africa
    Joomla! Community Leadership Team for just over a year
    User Group team,
    Marketing Working Group
    experiences within Open Source communities, and particularly around the topic of getting more women involved in technology.
    Passionate about promoting Science Tech Eng Maths as an exciting and interesting career choice for women.
  • Security starts before you even get to installing the CMS, it starts when you select a hosting provider
    - Hosting
    - experience with CMS's
    - Linux based (personal preference)
    - Security practices
    - Trust
    - Working with contractors
    - Extensions
    – refer to joomla docs/JCM for more detail
  • It's important to understand how file & folder permissions work. Use the best practices for your CMS, don't compromise on this because your hosting environment isn't set up properly.
  • - Passwords
    - Updates
    - Vulnerable extensions
    - Viruses/compromise
  • It's your job to stay up to date with security updates
    Make sure that you sign up for updates from extensions and template providers
    Keep up to date with CMS core updates, apply them.
    This is your responsibility as web developer. If you use a CMS, you take the responsibility for keeping it secure.
  • Sell the CMS with the understanding that clients need to update
    Opportunity – sell them training
    Opportunity – sell a support contract
    Be clear. Be responsible. If they aren't willing to do updates themselves, or pay you to do it, walk away.
  • Keep up to date with new developments
    Things are changing all the time, you have to keep up to date with these changes by keeping your CMS up to date (and/or getting involved with bringing these new features to your CMS through getting involved in OS projects).
  • How many people have 2 factor authentication enabled?
    Use YubiKeys or mobile phone app (Google authenticator).
    Easy to implement, easy to explain, something you know (Password) and something you have (unique one time password).
  • Problems with spam?
    Admin tools for Joomla
    Project Honeypot
    Stop forum spam
    Look out for malicious activity and block before it gets to your site
    Hide admin panel
  • Sooner or later, with all the best security, you will have a disaster happen.
    Client deletes site, server gets compromised, site gets compromised.
  • CMS Security - Ruth Cheesley - CMS Africa 2014

    1. 1. CMS Security Ruth Cheesley - @RCheesley
    2. 2. Laying the foundations
    3. 3. Understand permissions
    4. 4. Understand permissions World (The world, the universe, and everything) Group (A set of users) Owner (owns the file)
    5. 5. Understand permissions Read (r) Write (w) Can view the file Chmod +r / -r Numerical value = 4 Can make changes or modify the file Chmod +w / -w Numerical value = 2 Execute (x) Can run the file (generally applicable at command line) Chmod +x / -x Numerical value = 1 NOTE: Folders cannot be listed and files within can't be accessed if the folder does not have execute permissions
    6. 6. Joomla! permissions Owner Group World 7 (Read + Write + Execute) rwx 5 (Read + Execute) r-x 5 (Read + Execute) r-x 6 (Read + Write) rw- 4 (Read) (r--) 4 (Read) (r--)
    7. 7. Your weakest link © James Steidl -
    8. 8. Keep up to date © iQoncept -
    9. 9. Sell ethically to your clients © puckillustrations -
    10. 10. Modern security practices © James Steidl -
    11. 11. Implement 2 Factor Authentication
    12. 12. Web application firewalls
    13. 13. Test your backups
    14. 14. Plan for disaster
    15. 15. To find more information Ruth Cheesley - @RCheesley